Description | Tests | Scoring | |||||
---|---|---|---|---|---|---|---|
Pass | Fail | Error | Unkn. | Score | Max | Percent | |
1 Account Policies | 6 | 1 | 0 | 2 | 6.0 | 9.0 | 67% |
1.1 Password Policy | 3 | 1 | 0 | 2 | 3.0 | 6.0 | 50% |
1.2 Account Lockout Policy | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
2 Local Policies | 98 | 3 | 0 | 1 | 98.0 | 102.0 | 96% |
2.1 Audit Policy | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
2.2 User Rights Assignment | 35 | 2 | 0 | 0 | 35.0 | 37.0 | 95% |
2.3 Security Options | 63 | 1 | 0 | 1 | 63.0 | 65.0 | 97% |
2.3.1 Accounts | 5 | 1 | 0 | 0 | 5.0 | 6.0 | 83% |
2.3.2 Audit | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
2.3.3 DCOM | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
2.3.4 Devices | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
2.3.5 Domain controller | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
2.3.6 Domain member | 6 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
2.3.7 Interactive logon | 8 | 0 | 0 | 0 | 8.0 | 8.0 | 100% |
2.3.8 Microsoft network client | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
2.3.9 Microsoft network server | 5 | 0 | 0 | 0 | 5.0 | 5.0 | 100% |
2.3.10 Network access | 10 | 0 | 0 | 1 | 10.0 | 11.0 | 91% |
2.3.11 Network security | 10 | 0 | 0 | 0 | 10.0 | 10.0 | 100% |
2.3.12 Recovery console | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
2.3.13 Shutdown | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
2.3.14 System cryptography | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
2.3.15 System objects | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
2.3.16 System settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
2.3.17 User Account Control | 9 | 0 | 0 | 0 | 9.0 | 9.0 | 100% |
3 Event Log | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
4 Restricted Groups | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
5 System Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
6 Registry | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
7 File System | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
8 Wired Network (IEEE 802.3) Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
9 Windows Firewall With Advanced Security | 27 | 3 | 0 | 0 | 27.0 | 30.0 | 90% |
9.1 Domain Profile | 10 | 0 | 0 | 0 | 10.0 | 10.0 | 100% |
9.2 Private Profile | 10 | 0 | 0 | 0 | 10.0 | 10.0 | 100% |
9.3 Public Profile | 7 | 3 | 0 | 0 | 7.0 | 10.0 | 70% |
10 Network List Manager Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
11 Wireless Network (IEEE 802.11) Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
12 Public Key Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
13 Software Restriction Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
14 Network Access Protection NAP Client Configuration | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
15 Application Control Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
16 IP Security Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
17 Advanced Audit Policy Configuration | 24 | 0 | 0 | 0 | 24.0 | 24.0 | 100% |
17.1 Account Logon | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
17.2 Account Management | 5 | 0 | 0 | 0 | 5.0 | 5.0 | 100% |
17.3 Detailed Tracking | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
17.4 DS Access | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
17.5 Logon/Logoff | 6 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
17.6 Object Access | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
17.7 Policy Change | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
17.8 Privilege Use | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
17.9 System | 5 | 0 | 0 | 0 | 5.0 | 5.0 | 100% |
18 Administrative Templates (Computer) | 102 | 2 | 0 | 0 | 102.0 | 104.0 | 98% |
18.1 Control Panel | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
18.1.1 Personalization | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.1.2 Regional and Language Options | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.2 LAPS | 6 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
18.3 MSS (Legacy) | 8 | 0 | 0 | 0 | 8.0 | 8.0 | 100% |
18.4 Network | 7 | 1 | 0 | 0 | 7.0 | 8.0 | 88% |
18.4.1 Background Intelligent Transfer Service (BITS) | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.2 BranchCache | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.3 DirectAccess Client Experience Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.4 DNS Client | 1 | 1 | 0 | 0 | 1.0 | 2.0 | 50% |
18.4.5 Fonts | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.6 Hotspot Authentication | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.7 Lanman Server | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.8 Lanman Workstation | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.4.9 Link-Layer Topology Discovery | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.10 Microsoft Peer-to-Peer Networking Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.10.1 Peer Name Resolution Protocol | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.11 Network Connections | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
18.4.11.1 Windows Firewall | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.12 Network Connectivity Status Indicator | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.13 Network Isolation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.14 Network Provider | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.4.15 Offline Files | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.16 QoS Packet Scheduler | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.17 SNMP | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.18 SSL Configuration Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.19 TCPIP Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.19.1 IPv6 Transition Technologies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.19.2 Parameters | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.20 Windows Connect Now | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.4.21 Windows Connection Manager | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.5 Printers | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.6 SCM: Pass the Hash Mitigations | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.7 Start Menu and Taskbar | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8 System | 16 | 0 | 0 | 0 | 16.0 | 16.0 | 100% |
18.8.1 Access-Denied Assistance | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.2 App-V | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.3 Audit Process Creation | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.8.4 Credentials Delegation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.5 Device Guard | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.6 Device Installation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.6.1 Device Installation Restrictions | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.7 Device Redirection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.8 Disk NV Cache | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.9 Disk Quotas | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.10 Distributed COM | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.11 Driver Installation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.12 Early Launch Antimalware | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.8.13 Enhanced Storage Access | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.14 File Classification Infrastructure | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.15 File Share Shadow Copy Agent | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.16 File Share Shadow Copy Provider | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.17 Filesystem | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.18 Folder Redirection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.19 Group Policy | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
18.8.19.1 Logging and tracing | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.20 Internet Communication Management | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.20.1 Internet Communication settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.21 iSCSI | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.22 KDC | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.23 Kerberos | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.24 Locale Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.25 Logon | 6 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
18.8.26 Mitigation Options | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.8.27 Net Logon | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.28 Performance Control Panel | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.29 Power Management | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.29.1 Button Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.29.2 Energy Saver Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.29.3 Hard Disk Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.29.4 Notification Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.29.5 Sleep Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.30 Recovery | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.31 Remote Assistance | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.8.32 Remote Procedure Call | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.8.33 Removable Storage Access | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.34 Scripts | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.35 Server Manager | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.36 Shutdown | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.37 Shutdown Options | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.38 System Restore | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39 Troubleshooting and Diagnostics | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.1 Application Compatibility Diagnostics | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.2 Corrupted File Recovery | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.3 Disk Diagnostic | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.4 Fault Tolerant Heap | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.5 Microsoft Support Diagnostic Tool | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.6 MSI Corrupted File Recovery | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.7 Scheduled Maintenance | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.8 Scripted Diagnostics | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.9 Windows Boot Performance Diagnostics | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.10 Windows Memory Leak Diagnosis | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.39.11 Windows Performance PerfTrack | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.40 Trusted Platform Module Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.41 User Profiles | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.42 Windows File Protection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.43 Windows HotStart | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.44 Windows Time Service | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.8.44.1 Time Providers | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9 Windows Components | 60 | 1 | 0 | 0 | 60.0 | 61.0 | 98% |
18.9.1 Active Directory Federation Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.2 ActiveX Installer Service | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.3 Add features to Windows 8 / 8.1 / 10 | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.4 App Package Deployment | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.5 App Privacy | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.6 App runtime | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.7 Application Compatibility | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.8 AutoPlay Policies | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
18.9.9 Backup | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.10 Biometrics | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.10.1 Facial Features | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.11 BitLocker Drive Encryption | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.12 Camera | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.13 Cloud Content | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.14 Connect | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.15 Credential User Interface | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.16 Data Collection and Preview Builds | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
18.9.17 Delivery Optimization | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.18 Desktop Gadgets | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.19 Desktop Window Manager | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.20 Device and Driver Compatibility | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.21 Device Registration (formerly Workplace Join) | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.22 Digital Locker | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.23 Edge UI | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.24 EMET | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.25 Event Forwarding | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.26 Event Log Service | 8 | 0 | 0 | 0 | 8.0 | 8.0 | 100% |
18.9.26.1 Application | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.26.2 Security | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.26.3 Setup | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.26.4 System | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.27 Event Logging | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.28 Event Viewer | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.29 Family Safety | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.30 File Explorer | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
18.9.30.1 Previous Versions | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.31 File History | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.32 Game Explorer | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.33 HomeGroup | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.34 Import Video | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.35 Internet Explorer | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.36 Internet Information Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.37 Location and Sensors | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.37.1 Windows Location Provider | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.38 Maintenance Scheduler | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.39 Maps | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.40 MDM | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.41 Microsoft Edge | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
18.9.42 Microsoft Secondary Authentication Factor | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.43 Microsoft User Experience Virtualization | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.44 NetMeeting | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.45 Network Access Protection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.46 Network Projector | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.47 OneDrive (formerly SkyDrive) | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.48 Online Assistance | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.49 Password Synchronization | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.50 Portable Operating System | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.51 Presentation Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52 Remote Desktop Services (formerly Terminal Services) | 6 | 1 | 0 | 0 | 6.0 | 7.0 | 86% |
18.9.52.1 RD Licensing | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.2 Remote Desktop Connection Client | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.52.2.1 RemoteFX USB Device Redirection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3 Remote Desktop Session Host | 5 | 1 | 0 | 0 | 5.0 | 6.0 | 83% |
18.9.52.3.1 Application Compatibility | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.2 Connections | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.3 Device and Resource Redirection | 0 | 1 | 0 | 0 | 0.0 | 1.0 | 0% |
18.9.52.3.4 Licensing | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.5 Printer Redirection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.6 Profiles | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.7 RD Connection Broker | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.8 Remote Session Environment | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.9 Security | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
18.9.52.3.10 Session Time Limits | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.52.3.11 Temporary folders | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.53 RSS Feeds | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.54 Search | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
18.9.54.1 OCR | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.55 Security Center | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.56 Server for NIS | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.57 Shutdown Options | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.58 Smart Card | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.59 Software Protection Platform | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.60 Sound Recorder | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.61 Store | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.62 Sync your settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.63 Tablet PC | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.64 Task Scheduler | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.65 Text Input | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.66 Windows Calendar | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.67 Windows Color System | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.68 Windows Customer Experience Improvement Program | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69 Windows Defender | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.1 Client Interface | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.2 Exclusions | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.3 MAPS | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.4 Network Inspection System | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.5 Quarantine | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.6 Real-time Protection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.7 Remediation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.69.8 Reporting | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.70 Windows Error Reporting | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.70.1 Advanced Error Reporting Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.70.2 Consent | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.71 Windows Game Recording and Broadcasting | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.72 Windows Hello for Business (formerly Microsoft Passport for Work) | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.73 Windows Ink Workspace | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.74 Windows Installer | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.75 Windows Logon Options | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
18.9.76 Windows Mail | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.77 Windows Media Center | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.78 Windows Media Digital Rights Management | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.79 Windows Media Player | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.80 Windows Meeting Space | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.81 Windows Messenger | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.82 Windows Mobility Center | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.83 Windows Movie Maker | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.84 Windows PowerShell | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
18.9.85 Windows Reliability Analysis | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.86 Windows Remote Management (WinRM) | 6 | 0 | 0 | 0 | 6.0 | 6.0 | 100% |
18.9.86.1 WinRM Client | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
18.9.86.2 WinRM Service | 3 | 0 | 0 | 0 | 3.0 | 3.0 | 100% |
18.9.87 Windows Remote Shell | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.88 Windows SideShow | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.89 Windows System Resource Manager | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
18.9.90 Windows Update | 5 | 0 | 0 | 0 | 5.0 | 5.0 | 100% |
18.9.90.1 Defer Windows Updates | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
19 Administrative Templates (User) | 10 | 0 | 0 | 0 | 10.0 | 10.0 | 100% |
19.1 Control Panel | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
19.1.1 Add or Remove Programs | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.1.2 Display | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.1.3 Personalization | 4 | 0 | 0 | 0 | 4.0 | 4.0 | 100% |
19.2 Desktop | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.3 Network | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.4 Shared Folders | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.5 Start Menu and Taskbar | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
19.5.1 Notifications | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
19.6 System | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.6.1 Ctrl+Alt+Del Options | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.6.2 Driver Installation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.6.3 Folder Redirection | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.6.4 Group Policy | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.6.5 Internet Communication Management | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.6.5.1 Internet Communication settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7 Windows Components | 5 | 0 | 0 | 0 | 5.0 | 5.0 | 100% |
19.7.1 Add features to Windows 8 / 8.1 / 10 | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.2 App runtime | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.3 Application Compatibility | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.4 Attachment Manager | 2 | 0 | 0 | 0 | 2.0 | 2.0 | 100% |
19.7.5 AutoPlay Policies | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.6 Backup | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.7 Cloud Content | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
19.7.8 Credential User Interface | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.9 Data Collection and Preview Builds | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.10 Desktop Gadgets | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.11 Desktop Window Manager | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.12 Digital Locker | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.13 Edge UI | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.14 File Explorer | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.15 File Revocation | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.16 IME | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.17 Import Video | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.18 Instant Search | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.19 Internet Explorer | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.20 Location and Sensors | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.21 Microsoft Edge | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.22 Microsoft Management Console | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.23 Microsoft User Experience Virtualization | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.24 NetMeeting | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.25 Network Projector | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.26 Network Sharing | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
19.7.27 Presentation Settings | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.28 Remote Desktop Services | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.29 RSS Feeds | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.30 Search | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.31 Sound Recorder | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.32 Store | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.33 Tablet PC | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.34 Task Scheduler | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.35 Windows Calendar | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.36 Windows Color System | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.37 Windows Error Reporting | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.38 Windows Hello for Business (formerly Microsoft Passport for Work) | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.39 Windows Installer | 1 | 0 | 0 | 0 | 1.0 | 1.0 | 100% |
19.7.40 Windows Logon Options | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.41 Windows Mail | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.42 Windows Media Center | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.43 Windows Media Player | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.43.1 Networking | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
19.7.43.2 Playback | 0 | 0 | 0 | 0 | 0.0 | 0.0 | 0% |
Total | 267 | 9 | 0 | 3 | 267.0 | 279.0 | 96% |
This benchmark contains 4 profiles.The Level 1 - Member Server profile was used for this assessment.
Title | Description |
---|---|
Level 1 - Domain Controller |
Items in this profile apply to Domain Controllers and intend to:
Show
<Profile xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Domain_Controller"> <title xml:lang="en">Level 1 - Domain Controller</title> <description xml:lang="en"> <xhtml:p>Items in this profile apply to Domain Controllers and intend to:</xhtml:p> <xhtml:ul> <xhtml:li>be practical and prudent;</xhtml:li> <xhtml:li>provide a clear security benefit; and</xhtml:li> <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li> </xhtml:ul> </description> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Ensure_Enforce_password_history_is_set_to_24_or_more_passwords" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_L1_Ensure_Maximum_password_age_is_set_to_60_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_L1_Ensure_Access_Credential_Manager_as_a_trusted_caller_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_L1_Ensure_Act_as_part_of_the_operating_system_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_L1_Ensure_Add_workstations_to_domain_is_set_to_Administrators_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_L1_Ensure_Adjust_memory_quotas_for_a_process_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_L1_Ensure_Back_up_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_L1_Ensure_Change_the_system_time_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_L1_Ensure_Change_the_time_zone_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_L1_Ensure_Create_a_pagefile_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_L1_Ensure_Create_a_token_object_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_L1_Ensure_Create_global_objects_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_L1_Ensure_Create_permanent_shared_objects_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_L1_Configure_Create_symbolic_links" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_L1_Ensure_Debug_programs_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.18_L1_Ensure_Deny_log_on_as_a_batch_job_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.19_L1_Ensure_Deny_log_on_as_a_service_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.20_L1_Ensure_Deny_log_on_locally_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.21_L1_Ensure_Deny_log_on_through_Remote_Desktop_Services_to_include_Guests_Local_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.23_L1_Ensure_Force_shutdown_from_a_remote_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.24_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.26_L1_Ensure_Increase_scheduling_priority_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.28_L1_Ensure_Lock_pages_in_memory_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.30_L1_Configure_Manage_auditing_and_security_log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.31_L1_Ensure_Modify_an_object_label_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.32_L1_Ensure_Modify_firmware_environment_values_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.33_L1_Ensure_Perform_volume_maintenance_tasks_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.34_L1_Ensure_Profile_single_process_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.35_L1_Ensure_Profile_system_performance_is_set_to_Administrators_NT_SERVICEWdiServiceHost" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.36_L1_Ensure_Replace_a_process_level_token_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.37_L1_Ensure_Restore_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.38_L1_Ensure_Shut_down_the_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.39_L1_Ensure_Synchronize_directory_service_data_is_set_to_No_One_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.40_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.2_L1_Ensure_Accounts_Block_Microsoft_accounts_is_set_to_Users_cant_add_or_log_on_with_Microsoft_accounts" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.5_L1_Configure_Accounts_Rename_administrator_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.6_L1_Configure_Accounts_Rename_guest_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.2_L1_Ensure_Audit_Shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.2_L1_Ensure_Devices_Prevent_users_from_installing_printer_drivers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5.1_L1_Ensure_Domain_controller_Allow_server_operators_to_schedule_tasks_is_set_to_Disabled_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5.2_L1_Ensure_Domain_controller_LDAP_server_signing_requirements_is_set_to_Require_signing_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5.3_L1_Ensure_Domain_controller_Refuse_machine_account_password_changes_is_set_to_Disabled_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.3_L1_Ensure_Domain_member_Digitally_sign_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.4_L1_Ensure_Domain_member_Disable_machine_account_password_changes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.5_L1_Ensure_Domain_member_Maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.6_L1_Ensure_Domain_member_Require_strong_Windows_2000_or_later_session_key_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.1_L1_Ensure_Interactive_logon_Do_not_display_last_user_name_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.2_L1_Ensure_Interactive_logon_Do_not_require_CTRLALTDEL_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.4_L1_Configure_Interactive_logon_Message_text_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.5_L1_Configure_Interactive_logon_Message_title_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.7_L1_Ensure_Interactive_logon_Prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.1_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.2_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.2_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.3_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.1_L1_Ensure_Network_access_Allow_anonymous_SIDName_translation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.5_L1_Ensure_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.7_L1_Configure_Network_access_Remotely_accessible_registry_paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.8_L1_Configure_Network_access_Remotely_accessible_registry_paths_and_sub-paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.9_L1_Ensure_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.11_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.12_L1_Ensure_Network_access_Sharing_and_security_model_for_local_accounts_is_set_to_Classic_-_local_users_authenticate_as_themselves" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.1_L1_Ensure_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.2_L1_Ensure_Network_security_Allow_LocalSystem_NULL_session_fallback_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.3_L1_Ensure_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_RC4_HMAC_MD5_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.7_L1_Ensure_Network_security_LAN_Manager_authentication_level_is_set_to_Send_NTLMv2_response_only._Refuse_LM__NTLM" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.8_L1_Ensure_Network_security_LDAP_client_signing_requirements_is_set_to_Negotiate_signing_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.9_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.10_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.13.1_L1_Ensure_Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.1_L1_Ensure_System_objects_Require_case_insensitivity_for_non-Windows_subsystems_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.2_L1_Ensure_System_objects_Strengthen_default_permissions_of_internal_system_objects_e.g._Symbolic_Links_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.2_L1_Ensure_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.3_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_is_set_to_Prompt_for_consent_on_the_secure_desktop" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.4_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_is_set_to_Automatically_deny_elevation_requests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.5_L1_Ensure_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.6_L1_Ensure_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.7_L1_Ensure_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.8_L1_Ensure_User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.9_L1_Ensure_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per-user_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.5_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.6_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewalldomainfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.9_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.10_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.5_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.6_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallprivatefw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.9_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.10_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallpublicfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.1_L1_Ensure_Audit_Application_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.2_L1_Ensure_Audit_Computer_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.3_L1_Ensure_Audit_Distribution_Group_Management_is_set_to_Success_and_Failure_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.4_L1_Ensure_Audit_Other_Account_Management_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.5_L1_Ensure_Audit_Security_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.6_L1_Ensure_Audit_User_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.1_L1_Ensure_Audit_PNP_Activity_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.2_L1_Ensure_Audit_Process_Creation_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.4.1_L1_Ensure_Audit_Directory_Service_Access_is_set_to_Success_and_Failure_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.4.2_L1_Ensure_Audit_Directory_Service_Changes_is_set_to_Success_and_Failure_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.1_L1_Ensure_Audit_Account_Lockout_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.2_L1_Ensure_Audit_Group_Membership_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.3_L1_Ensure_Audit_Logoff_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.6_L1_Ensure_Audit_Special_Logon_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.6.1_L1_Ensure_Audit_Removable_Storage_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.1_L1_Ensure_Audit_Audit_Policy_Change_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.2_L1_Ensure_Audit_Authentication_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.3_L1_Ensure_Audit_Authorization_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.8.1_L1_Ensure_Audit_Sensitive_Privilege_Use_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.1_L1_Ensure_Audit_IPsec_Driver_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.2_L1_Ensure_Audit_Other_System_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.3_L1_Ensure_Audit_Security_State_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.4_L1_Ensure_Audit_Security_System_Extension_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.5_L1_Ensure_Audit_System_Integrity_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.1_L1_Ensure_Prevent_enabling_lock_screen_camera_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.2_L1_Ensure_Prevent_enabling_lock_screen_slide_show_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.2.1_L1_Ensure_Allow_Input_Personalization_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.12_L1_Ensure_MSS_WarningLevel_Percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning_is_set_to_Enabled_90_or_less" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.4_L1_Ensure_Require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.14.1_L1_Ensure_Hardened_UNC_Paths_is_set_to_Enabled_with_Require_Mutual_Authentication_and_Require_Integrity_set_for_all_NETLOGON_and_SYSVOL_shares" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.6.2_L1_Ensure_WDigest_Authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.12.1_L1_Ensure_Boot-Start_Driver_Initialization_Policy_is_set_to_Enabled_Good_unknown_and_bad_but_critical" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.4__L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.1_L1_Ensure_Block_user_from_showing_account_details_on_sign-in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.2_L1_Ensure_Do_not_display_network_selection_UI_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.3_L1_Ensure_Do_not_enumerate_connected_users_on_domain-joined_computers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.4_L1_Ensure_Enumerate_local_users_on_domain-joined_computers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.5_L1_Ensure_Turn_off_app_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.6_L1_Ensure_Turn_on_convenience_PIN_sign-in_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.26.1_L1_Ensure_Untrusted_Font_Blocking_is_set_to_Enabled_Block_untrusted_fonts_and_log_events" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.6.1_L1_Ensure_Allow_Microsoft_accounts_to_be_optional_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.10.1.1_L1_Ensure_Use_enhanced_anti-spoofing_when_available_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.13.1_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.14.1_L1_Ensure_Require_pin_for_pairing_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.1_L1_Ensure_Do_not_display_the_password_reveal_button_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.2_L1_Ensure_Enumerate_administrator_accounts_on_elevation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.1_L1_Ensure_Allow_Telemetry_is_set_to_Enabled_0_-_Security_Enterprise_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.2_L1_Ensure_Disable_pre-release_features_or_settings_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.3_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.4_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.1_L1_Ensure_Application_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.2_L1_Ensure_Application_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.1_L1_Ensure_Security_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.2_L1_Ensure_Security_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_196608_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.1_L1_Ensure_Setup_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.2_L1_Ensure_Setup_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.1_L1_Ensure_System_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.2_L1_Ensure_System_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.2_L1_Ensure_Configure_Windows_SmartScreen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.3_L1_Ensure_Turn_off_Data_Execution_Prevention_for_Explorer_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.4_L1_Ensure_Turn_off_heap_termination_on_corruption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.5_L1_Ensure_Turn_off_shell_protocol_protected_mode_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.3_L1_Ensure_Configure_cookies_is_set_to_Enabled_Block_only_3rd-party_cookies_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.4_L1_Ensure_Configure_Password_Manager_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.6_L1_Ensure_Configure_search_suggestions_in_Address_bar_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.7_L1_Ensure_Configure_SmartScreen_Filter_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.47.1_L1_Ensure_Prevent_the_usage_of_OneDrive_for_file_storage_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.1_L1_Ensure_Always_prompt_for_password_upon_connection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.2_L1_Ensure_Require_secure_RPC_communication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.3_L1_Ensure_Set_client_connection_encryption_level_is_set_to_Enabled_High_Level" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.1_L1_Ensure_Do_not_delete_temp_folders_upon_exit_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.2_L1_Ensure_Do_not_use_temporary_folders_per_session_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.53.1_L1_Ensure_Prevent_downloading_of_enclosures_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.2_L1_Ensure_Allow_Cortana_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.3_L1_Ensure_Allow_Cortana_above_lock_screen_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.4_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.5_L1_Ensure_Allow_search_and_Cortana_to_use_location_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.2_L1_Ensure_Turn_off_Automatic_Download_and_Install_of_updates_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.3_L1_Ensure_Turn_off_the_offer_to_update_to_the_latest_version_of_Windows_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.73.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.75.1_L1_Ensure_Sign-in_last_interactive_user_automatically_after_a_system-initiated_restart_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.2_L1_Ensure_Turn_on_PowerShell_Transcription_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.4_L1_Ensure_Disallow_WinRM_from_storing_RunAs_credentials_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.1_L1_Ensure_Select_when_Feature_Updates_are_received_is_set_to_Enabled_Current_Branch_for_Business_180_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.2_L1_Ensure_Select_when_Quality_Updates_are_received_is_set_to_Enabled_0_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.2_L1_Ensure_Configure_Automatic_Updates_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.3_L1_Ensure_Configure_Automatic_Updates_Scheduled_install_day_is_set_to_0_-_Every_day" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.4_L1_Ensure_No_auto-restart_with_logged_on_users_for_scheduled_automatic_updates_installations_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.2_L1_Ensure_Force_specific_screen_saver_Screen_saver_executable_name_is_set_to_Enabled_scrnsave.scr" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.3_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.4_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.1_L1_Ensure_Do_not_preserve_zone_information_in_file_attachments_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.2_L1_Ensure_Do_not_suggest_third-party_content_in_Windows_spotlight_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.26.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.39.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selector="DC"/> </Profile> |
Level 1 - Member Server |
Items in this profile apply to Member Servers and intend to:
Items in this profile also apply to Member Servers that have the following Roles enabled:
Show
<Profile xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.cisecurity.benchmarks_profile_Level_1_-_Member_Server"> <title xml:lang="en">Level 1 - Member Server</title> <description xml:lang="en"> <xhtml:p>Items in this profile apply to Member Servers and intend to:</xhtml:p> <xhtml:ul> <xhtml:li>be practical and prudent;</xhtml:li> <xhtml:li>provide a clear security benefit; and</xhtml:li> <xhtml:li>not inhibit the utility of the technology beyond acceptable means.</xhtml:li> </xhtml:ul> <xhtml:p>Items in this profile also apply to Member Servers that have the following Roles enabled:</xhtml:p> <xhtml:ul> <xhtml:li>AD Certificate Services</xhtml:li> <xhtml:li>DHCP Server</xhtml:li> <xhtml:li>DNS Server</xhtml:li> <xhtml:li>File Server</xhtml:li> <xhtml:li>Hyper-V</xhtml:li> <xhtml:li>Network Policy and Access Services</xhtml:li> <xhtml:li>Print Server</xhtml:li> <xhtml:li>Remote Access Services</xhtml:li> <xhtml:li>Remote Desktop Services</xhtml:li> <xhtml:li>Web Server</xhtml:li> </xhtml:ul> </description> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Ensure_Enforce_password_history_is_set_to_24_or_more_passwords" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_L1_Ensure_Maximum_password_age_is_set_to_60_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_L1_Ensure_Access_Credential_Manager_as_a_trusted_caller_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_L1_Ensure_Act_as_part_of_the_operating_system_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_L1_Ensure_Adjust_memory_quotas_for_a_process_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_L1_Ensure_Back_up_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_L1_Ensure_Change_the_system_time_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_L1_Ensure_Change_the_time_zone_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_L1_Ensure_Create_a_pagefile_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_L1_Ensure_Create_a_token_object_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_L1_Ensure_Create_global_objects_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_L1_Ensure_Create_permanent_shared_objects_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_L1_Configure_Create_symbolic_links" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_L1_Ensure_Debug_programs_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.18_L1_Ensure_Deny_log_on_as_a_batch_job_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.19_L1_Ensure_Deny_log_on_as_a_service_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.20_L1_Ensure_Deny_log_on_locally_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.21_L1_Ensure_Deny_log_on_through_Remote_Desktop_Services_to_include_Guests_Local_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.23_L1_Ensure_Force_shutdown_from_a_remote_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.24_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.26_L1_Ensure_Increase_scheduling_priority_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.28_L1_Ensure_Lock_pages_in_memory_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.30_L1_Configure_Manage_auditing_and_security_log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.31_L1_Ensure_Modify_an_object_label_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.32_L1_Ensure_Modify_firmware_environment_values_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.33_L1_Ensure_Perform_volume_maintenance_tasks_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.34_L1_Ensure_Profile_single_process_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.35_L1_Ensure_Profile_system_performance_is_set_to_Administrators_NT_SERVICEWdiServiceHost" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.36_L1_Ensure_Replace_a_process_level_token_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.37_L1_Ensure_Restore_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.38_L1_Ensure_Shut_down_the_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.40_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.2_L1_Ensure_Accounts_Block_Microsoft_accounts_is_set_to_Users_cant_add_or_log_on_with_Microsoft_accounts" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.5_L1_Configure_Accounts_Rename_administrator_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.6_L1_Configure_Accounts_Rename_guest_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.2_L1_Ensure_Audit_Shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.2_L1_Ensure_Devices_Prevent_users_from_installing_printer_drivers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.3_L1_Ensure_Domain_member_Digitally_sign_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.4_L1_Ensure_Domain_member_Disable_machine_account_password_changes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.5_L1_Ensure_Domain_member_Maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.6_L1_Ensure_Domain_member_Require_strong_Windows_2000_or_later_session_key_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.1_L1_Ensure_Interactive_logon_Do_not_display_last_user_name_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.2_L1_Ensure_Interactive_logon_Do_not_require_CTRLALTDEL_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.4_L1_Configure_Interactive_logon_Message_text_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.5_L1_Configure_Interactive_logon_Message_title_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.7_L1_Ensure_Interactive_logon_Prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.8_L1_Ensure_Interactive_logon_Require_Domain_Controller_Authentication_to_unlock_workstation_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.1_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.2_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.2_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.3_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.5_L1_Ensure_Microsoft_network_server_Server_SPN_target_name_validation_level_is_set_to_Accept_if_provided_by_client_or_higher_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.1_L1_Ensure_Network_access_Allow_anonymous_SIDName_translation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.2_L1_Ensure_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.3_L1_Ensure_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.5_L1_Ensure_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.7_L1_Configure_Network_access_Remotely_accessible_registry_paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.8_L1_Configure_Network_access_Remotely_accessible_registry_paths_and_sub-paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.9_L1_Ensure_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.10_L1_Ensure_Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM_is_set_to_Administrators_Remote_Access_Allow_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.11_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.12_L1_Ensure_Network_access_Sharing_and_security_model_for_local_accounts_is_set_to_Classic_-_local_users_authenticate_as_themselves" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.1_L1_Ensure_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.2_L1_Ensure_Network_security_Allow_LocalSystem_NULL_session_fallback_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.3_L1_Ensure_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_RC4_HMAC_MD5_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.7_L1_Ensure_Network_security_LAN_Manager_authentication_level_is_set_to_Send_NTLMv2_response_only._Refuse_LM__NTLM" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.8_L1_Ensure_Network_security_LDAP_client_signing_requirements_is_set_to_Negotiate_signing_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.9_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.10_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.13.1_L1_Ensure_Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.1_L1_Ensure_System_objects_Require_case_insensitivity_for_non-Windows_subsystems_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.2_L1_Ensure_System_objects_Strengthen_default_permissions_of_internal_system_objects_e.g._Symbolic_Links_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.2_L1_Ensure_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.3_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_is_set_to_Prompt_for_consent_on_the_secure_desktop" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.4_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_is_set_to_Automatically_deny_elevation_requests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.5_L1_Ensure_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.6_L1_Ensure_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.7_L1_Ensure_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.8_L1_Ensure_User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.9_L1_Ensure_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per-user_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.5_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.6_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewalldomainfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.9_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.10_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.5_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.6_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallprivatefw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.9_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.10_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallpublicfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.1_L1_Ensure_Audit_Application_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.2_L1_Ensure_Audit_Computer_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.4_L1_Ensure_Audit_Other_Account_Management_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.5_L1_Ensure_Audit_Security_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.6_L1_Ensure_Audit_User_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.1_L1_Ensure_Audit_PNP_Activity_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.2_L1_Ensure_Audit_Process_Creation_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.1_L1_Ensure_Audit_Account_Lockout_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.2_L1_Ensure_Audit_Group_Membership_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.3_L1_Ensure_Audit_Logoff_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.6_L1_Ensure_Audit_Special_Logon_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.6.1_L1_Ensure_Audit_Removable_Storage_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.1_L1_Ensure_Audit_Audit_Policy_Change_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.2_L1_Ensure_Audit_Authentication_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.3_L1_Ensure_Audit_Authorization_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.8.1_L1_Ensure_Audit_Sensitive_Privilege_Use_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.1_L1_Ensure_Audit_IPsec_Driver_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.2_L1_Ensure_Audit_Other_System_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.3_L1_Ensure_Audit_Security_State_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.4_L1_Ensure_Audit_Security_System_Extension_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.5_L1_Ensure_Audit_System_Integrity_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.1_L1_Ensure_Prevent_enabling_lock_screen_camera_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.2_L1_Ensure_Prevent_enabling_lock_screen_slide_show_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.2.1_L1_Ensure_Allow_Input_Personalization_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.1_L1_Ensure_LAPS_AdmPwd_GPO_Extension__CSE_is_installed_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.2_L1_Ensure_Do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.3_L1_Ensure_Enable_Local_Admin_Password_Management_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.4_L1_Ensure_Password_Settings_Password_Complexity_is_set_to_Enabled_Large_letters__small_letters__numbers__special_characters_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.5_L1_Ensure_Password_Settings_Password_Length_is_set_to_Enabled_15_or_more_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.6_L1_Ensure_Password_Settings_Password_Age_Days_is_set_to_Enabled_30_or_fewer_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.12_L1_Ensure_MSS_WarningLevel_Percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning_is_set_to_Enabled_90_or_less" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.4.1_L1_Set_NetBIOS_node_type_to_P-node_Ensure_NetBT_Parameter_NodeType_is_set_to_0x2_2_MS_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.4.2_L1_Ensure_Turn_off_multicast_name_resolution_is_set_to_Enabled_MS_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.4_L1_Ensure_Require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.14.1_L1_Ensure_Hardened_UNC_Paths_is_set_to_Enabled_with_Require_Mutual_Authentication_and_Require_Integrity_set_for_all_NETLOGON_and_SYSVOL_shares" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.6.1_L1_Ensure_Apply_UAC_restrictions_to_local_accounts_on_network_logons_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.6.2_L1_Ensure_WDigest_Authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.12.1_L1_Ensure_Boot-Start_Driver_Initialization_Policy_is_set_to_Enabled_Good_unknown_and_bad_but_critical" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.4__L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.1_L1_Ensure_Block_user_from_showing_account_details_on_sign-in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.2_L1_Ensure_Do_not_display_network_selection_UI_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.3_L1_Ensure_Do_not_enumerate_connected_users_on_domain-joined_computers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.4_L1_Ensure_Enumerate_local_users_on_domain-joined_computers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.5_L1_Ensure_Turn_off_app_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.6_L1_Ensure_Turn_on_convenience_PIN_sign-in_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.26.1_L1_Ensure_Untrusted_Font_Blocking_is_set_to_Enabled_Block_untrusted_fonts_and_log_events" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.32.1_L1_Ensure_Enable_RPC_Endpoint_Mapper_Client_Authentication_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.6.1_L1_Ensure_Allow_Microsoft_accounts_to_be_optional_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.10.1.1_L1_Ensure_Use_enhanced_anti-spoofing_when_available_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.13.1_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.14.1_L1_Ensure_Require_pin_for_pairing_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.1_L1_Ensure_Do_not_display_the_password_reveal_button_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.2_L1_Ensure_Enumerate_administrator_accounts_on_elevation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.1_L1_Ensure_Allow_Telemetry_is_set_to_Enabled_0_-_Security_Enterprise_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.2_L1_Ensure_Disable_pre-release_features_or_settings_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.3_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.4_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.1_L1_Ensure_Application_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.2_L1_Ensure_Application_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.1_L1_Ensure_Security_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.2_L1_Ensure_Security_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_196608_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.1_L1_Ensure_Setup_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.2_L1_Ensure_Setup_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.1_L1_Ensure_System_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.2_L1_Ensure_System_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.2_L1_Ensure_Configure_Windows_SmartScreen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.3_L1_Ensure_Turn_off_Data_Execution_Prevention_for_Explorer_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.4_L1_Ensure_Turn_off_heap_termination_on_corruption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.5_L1_Ensure_Turn_off_shell_protocol_protected_mode_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.3_L1_Ensure_Configure_cookies_is_set_to_Enabled_Block_only_3rd-party_cookies_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.4_L1_Ensure_Configure_Password_Manager_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.6_L1_Ensure_Configure_search_suggestions_in_Address_bar_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.7_L1_Ensure_Configure_SmartScreen_Filter_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.47.1_L1_Ensure_Prevent_the_usage_of_OneDrive_for_file_storage_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.1_L1_Ensure_Always_prompt_for_password_upon_connection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.2_L1_Ensure_Require_secure_RPC_communication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.3_L1_Ensure_Set_client_connection_encryption_level_is_set_to_Enabled_High_Level" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.1_L1_Ensure_Do_not_delete_temp_folders_upon_exit_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.2_L1_Ensure_Do_not_use_temporary_folders_per_session_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.53.1_L1_Ensure_Prevent_downloading_of_enclosures_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.2_L1_Ensure_Allow_Cortana_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.3_L1_Ensure_Allow_Cortana_above_lock_screen_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.4_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.5_L1_Ensure_Allow_search_and_Cortana_to_use_location_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.2_L1_Ensure_Turn_off_Automatic_Download_and_Install_of_updates_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.3_L1_Ensure_Turn_off_the_offer_to_update_to_the_latest_version_of_Windows_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.73.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.75.1_L1_Ensure_Sign-in_last_interactive_user_automatically_after_a_system-initiated_restart_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.2_L1_Ensure_Turn_on_PowerShell_Transcription_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.4_L1_Ensure_Disallow_WinRM_from_storing_RunAs_credentials_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.1_L1_Ensure_Select_when_Feature_Updates_are_received_is_set_to_Enabled_Current_Branch_for_Business_180_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.2_L1_Ensure_Select_when_Quality_Updates_are_received_is_set_to_Enabled_0_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.2_L1_Ensure_Configure_Automatic_Updates_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.3_L1_Ensure_Configure_Automatic_Updates_Scheduled_install_day_is_set_to_0_-_Every_day" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.4_L1_Ensure_No_auto-restart_with_logged_on_users_for_scheduled_automatic_updates_installations_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.2_L1_Ensure_Force_specific_screen_saver_Screen_saver_executable_name_is_set_to_Enabled_scrnsave.scr" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.3_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.4_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.1_L1_Ensure_Do_not_preserve_zone_information_in_file_attachments_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.2_L1_Ensure_Do_not_suggest_third-party_content_in_Windows_spotlight_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.26.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.39.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selector="MS"/> </Profile> |
Level 2 - Domain Controller |
This profile extends the "Level 1 - Domain Controller" profile. Items in this profile exhibit one or more of the following characteristics:
Show
<Profile xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Domain_Controller"> <title xml:lang="en">Level 2 - Domain Controller</title> <description xml:lang="en"> <xhtml:p>This profile extends the "Level 1 - Domain Controller" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p> <xhtml:ul> <xhtml:li>are intended for environments or use cases where security is paramount;</xhtml:li> <xhtml:li>acts as defense in depth measure; and</xhtml:li> <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li> </xhtml:ul> </description> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Ensure_Enforce_password_history_is_set_to_24_or_more_passwords" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_L1_Ensure_Maximum_password_age_is_set_to_60_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_L1_Ensure_Access_Credential_Manager_as_a_trusted_caller_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_L1_Ensure_Act_as_part_of_the_operating_system_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.4_L1_Ensure_Add_workstations_to_domain_is_set_to_Administrators_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_L1_Ensure_Adjust_memory_quotas_for_a_process_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_L1_Ensure_Back_up_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_L1_Ensure_Change_the_system_time_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_L1_Ensure_Change_the_time_zone_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_L1_Ensure_Create_a_pagefile_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_L1_Ensure_Create_a_token_object_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_L1_Ensure_Create_global_objects_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_L1_Ensure_Create_permanent_shared_objects_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_L1_Configure_Create_symbolic_links" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_L1_Ensure_Debug_programs_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.18_L1_Ensure_Deny_log_on_as_a_batch_job_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.19_L1_Ensure_Deny_log_on_as_a_service_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.20_L1_Ensure_Deny_log_on_locally_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.21_L1_Ensure_Deny_log_on_through_Remote_Desktop_Services_to_include_Guests_Local_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.23_L1_Ensure_Force_shutdown_from_a_remote_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.24_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.26_L1_Ensure_Increase_scheduling_priority_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.28_L1_Ensure_Lock_pages_in_memory_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.29_L2_Ensure_Log_on_as_a_batch_job_is_set_to_Administrators_DC_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.30_L1_Configure_Manage_auditing_and_security_log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.31_L1_Ensure_Modify_an_object_label_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.32_L1_Ensure_Modify_firmware_environment_values_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.33_L1_Ensure_Perform_volume_maintenance_tasks_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.34_L1_Ensure_Profile_single_process_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.35_L1_Ensure_Profile_system_performance_is_set_to_Administrators_NT_SERVICEWdiServiceHost" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.36_L1_Ensure_Replace_a_process_level_token_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.37_L1_Ensure_Restore_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.38_L1_Ensure_Shut_down_the_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.39_L1_Ensure_Synchronize_directory_service_data_is_set_to_No_One_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.40_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.2_L1_Ensure_Accounts_Block_Microsoft_accounts_is_set_to_Users_cant_add_or_log_on_with_Microsoft_accounts" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.5_L1_Configure_Accounts_Rename_administrator_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.6_L1_Configure_Accounts_Rename_guest_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.2_L1_Ensure_Audit_Shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.2_L1_Ensure_Devices_Prevent_users_from_installing_printer_drivers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5.1_L1_Ensure_Domain_controller_Allow_server_operators_to_schedule_tasks_is_set_to_Disabled_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5.2_L1_Ensure_Domain_controller_LDAP_server_signing_requirements_is_set_to_Require_signing_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.5.3_L1_Ensure_Domain_controller_Refuse_machine_account_password_changes_is_set_to_Disabled_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.3_L1_Ensure_Domain_member_Digitally_sign_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.4_L1_Ensure_Domain_member_Disable_machine_account_password_changes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.5_L1_Ensure_Domain_member_Maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.6_L1_Ensure_Domain_member_Require_strong_Windows_2000_or_later_session_key_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.1_L1_Ensure_Interactive_logon_Do_not_display_last_user_name_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.2_L1_Ensure_Interactive_logon_Do_not_require_CTRLALTDEL_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.4_L1_Configure_Interactive_logon_Message_text_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.5_L1_Configure_Interactive_logon_Message_title_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.7_L1_Ensure_Interactive_logon_Prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.1_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.2_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.2_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.3_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.1_L1_Ensure_Network_access_Allow_anonymous_SIDName_translation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.4_L2_Ensure_Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.5_L1_Ensure_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.7_L1_Configure_Network_access_Remotely_accessible_registry_paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.8_L1_Configure_Network_access_Remotely_accessible_registry_paths_and_sub-paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.9_L1_Ensure_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.11_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.12_L1_Ensure_Network_access_Sharing_and_security_model_for_local_accounts_is_set_to_Classic_-_local_users_authenticate_as_themselves" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.1_L1_Ensure_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.2_L1_Ensure_Network_security_Allow_LocalSystem_NULL_session_fallback_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.3_L1_Ensure_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_RC4_HMAC_MD5_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.7_L1_Ensure_Network_security_LAN_Manager_authentication_level_is_set_to_Send_NTLMv2_response_only._Refuse_LM__NTLM" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.8_L1_Ensure_Network_security_LDAP_client_signing_requirements_is_set_to_Negotiate_signing_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.9_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.10_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.13.1_L1_Ensure_Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.1_L1_Ensure_System_objects_Require_case_insensitivity_for_non-Windows_subsystems_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.2_L1_Ensure_System_objects_Strengthen_default_permissions_of_internal_system_objects_e.g._Symbolic_Links_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.2_L1_Ensure_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.3_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_is_set_to_Prompt_for_consent_on_the_secure_desktop" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.4_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_is_set_to_Automatically_deny_elevation_requests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.5_L1_Ensure_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.6_L1_Ensure_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.7_L1_Ensure_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.8_L1_Ensure_User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.9_L1_Ensure_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per-user_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.5_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.6_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewalldomainfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.9_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.10_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.5_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.6_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallprivatefw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.9_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.10_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallpublicfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.1_L1_Ensure_Audit_Application_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.2_L1_Ensure_Audit_Computer_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.3_L1_Ensure_Audit_Distribution_Group_Management_is_set_to_Success_and_Failure_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.4_L1_Ensure_Audit_Other_Account_Management_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.5_L1_Ensure_Audit_Security_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.6_L1_Ensure_Audit_User_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.1_L1_Ensure_Audit_PNP_Activity_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.2_L1_Ensure_Audit_Process_Creation_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.4.1_L1_Ensure_Audit_Directory_Service_Access_is_set_to_Success_and_Failure_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.4.2_L1_Ensure_Audit_Directory_Service_Changes_is_set_to_Success_and_Failure_DC_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.1_L1_Ensure_Audit_Account_Lockout_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.2_L1_Ensure_Audit_Group_Membership_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.3_L1_Ensure_Audit_Logoff_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.6_L1_Ensure_Audit_Special_Logon_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.6.1_L1_Ensure_Audit_Removable_Storage_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.1_L1_Ensure_Audit_Audit_Policy_Change_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.2_L1_Ensure_Audit_Authentication_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.3_L1_Ensure_Audit_Authorization_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.8.1_L1_Ensure_Audit_Sensitive_Privilege_Use_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.1_L1_Ensure_Audit_IPsec_Driver_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.2_L1_Ensure_Audit_Other_System_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.3_L1_Ensure_Audit_Security_State_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.4_L1_Ensure_Audit_Security_System_Extension_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.5_L1_Ensure_Audit_System_Integrity_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.1_L1_Ensure_Prevent_enabling_lock_screen_camera_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.2_L1_Ensure_Prevent_enabling_lock_screen_slide_show_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.2.1_L1_Ensure_Allow_Input_Personalization_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.5_L2_Ensure_MSS_KeepAliveTime_How_often_keep-alive_packets_are_sent_in_milliseconds_is_set_to_Enabled_300000_or_5_minutes_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.7_L2_Ensure_MSS_PerformRouterDiscovery_Allow_IRDP_to_detect_and_configure_Default_Gateway_addresses_could_lead_to_DoS_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.10_L2_Ensure_MSS_TcpMaxDataRetransmissions_IPv6_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.11_L2_Ensure_MSS_TcpMaxDataRetransmissions_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.12_L1_Ensure_MSS_WarningLevel_Percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning_is_set_to_Enabled_90_or_less" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.5.1_L2_Ensure_Enable_Font_Providers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.9.1_L2_Ensure_Turn_on_Mapper_IO_LLTDIO_driver_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.9.2_L2_Ensure_Turn_on_Responder_RSPNDR_driver_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.10.2_L2_Ensure_Turn_off_Microsoft_Peer-to-Peer_Networking_Services_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.4_L1_Ensure_Require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.14.1_L1_Ensure_Hardened_UNC_Paths_is_set_to_Enabled_with_Require_Mutual_Authentication_and_Require_Integrity_set_for_all_NETLOGON_and_SYSVOL_shares" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.19.2.1_L2_Disable_IPv6_Ensure_TCPIP6_Parameter_DisabledComponents_is_set_to_0xff_255" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.20.1_L2_Ensure_Configuration_of_wireless_settings_using_Windows_Connect_Now_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.20.2_L2_Ensure_Prohibit_access_of_the_Windows_Connect_Now_wizards_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.6.2_L1_Ensure_WDigest_Authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.12.1_L1_Ensure_Boot-Start_Driver_Initialization_Policy_is_set_to_Enabled_Good_unknown_and_bad_but_critical" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.4__L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.1_L2_Ensure_Turn_off_access_to_the_Store_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.2_L2_Ensure_Turn_off_downloading_of_print_drivers_over_HTTP_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.3_L2_Ensure_Turn_off_handwriting_personalization_data_sharing_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.4_L2_Ensure_Turn_off_handwriting_recognition_error_reporting_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.5_L2_Ensure_Turn_off_Internet_Connection_Wizard_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.6_L2_Ensure_Turn_off_Internet_download_for_Web_publishing_and_online_ordering_wizards_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.7_L2_Ensure_Turn_off_printing_over_HTTP_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.8_L2_Ensure_Turn_off_Registration_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.9_L2_Ensure_Turn_off_Search_Companion_content_file_updates_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.10_L2_Ensure_Turn_off_the_Order_Prints_picture_task_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.11_L2_Ensure_Turn_off_the_Publish_to_Web_task_for_files_and_folders_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.12_L2_Ensure_Turn_off_the_Windows_Messenger_Customer_Experience_Improvement_Program_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.13_L2_Ensure_Turn_off_Windows_Customer_Experience_Improvement_Program_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.14_L2_Ensure_Turn_off_Windows_Error_Reporting_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.23.1_L2_Ensure_Support_device_authentication_using_certificate_is_set_to_Enabled_Automatic" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.24.1_L2_Ensure_Disallow_copying_of_user_input_methods_to_the_system_account_for_sign-in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.1_L1_Ensure_Block_user_from_showing_account_details_on_sign-in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.2_L1_Ensure_Do_not_display_network_selection_UI_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.3_L1_Ensure_Do_not_enumerate_connected_users_on_domain-joined_computers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.4_L1_Ensure_Enumerate_local_users_on_domain-joined_computers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.5_L1_Ensure_Turn_off_app_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.6_L1_Ensure_Turn_on_convenience_PIN_sign-in_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.26.1_L1_Ensure_Untrusted_Font_Blocking_is_set_to_Enabled_Block_untrusted_fonts_and_log_events" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.1_L2_Ensure_Allow_network_connectivity_during_connected-standby_on_battery_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.2_L2_Ensure_Allow_network_connectivity_during_connected-standby_plugged_in_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.3_L2_Ensure_Require_a_password_when_a_computer_wakes_on_battery_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.4_L2_Ensure_Require_a_password_when_a_computer_wakes_plugged_in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.39.5.1_L2_Ensure_Microsoft_Support_Diagnostic_Tool_Turn_on_MSDT_interactive_communication_with_support_provider_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.39.11.1_L2_Ensure_EnableDisable_PerfTrack_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.41.1_L2_Ensure_Turn_off_the_advertising_ID_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.44.1.1_L2_Ensure_Enable_Windows_NTP_Client_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.5.1_L2_Ensure_Let_Windows_apps__is_set_to_Enabled_Force_Deny" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.6.1_L1_Ensure_Allow_Microsoft_accounts_to_be_optional_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.6.2_L2_Ensure_Block_launching_Windows_Store_apps_with_Windows_Runtime_API_access_from_hosted_content._is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.10.1.1_L1_Ensure_Use_enhanced_anti-spoofing_when_available_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.12.1_L2_Ensure_Allow_Use_of_Camera_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.13.1_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.14.1_L1_Ensure_Require_pin_for_pairing_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.1_L1_Ensure_Do_not_display_the_password_reveal_button_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.2_L1_Ensure_Enumerate_administrator_accounts_on_elevation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.1_L1_Ensure_Allow_Telemetry_is_set_to_Enabled_0_-_Security_Enterprise_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.2_L1_Ensure_Disable_pre-release_features_or_settings_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.3_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.4_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.1_L1_Ensure_Application_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.2_L1_Ensure_Application_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.1_L1_Ensure_Security_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.2_L1_Ensure_Security_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_196608_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.1_L1_Ensure_Setup_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.2_L1_Ensure_Setup_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.1_L1_Ensure_System_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.2_L1_Ensure_System_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.2_L1_Ensure_Configure_Windows_SmartScreen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.3_L1_Ensure_Turn_off_Data_Execution_Prevention_for_Explorer_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.4_L1_Ensure_Turn_off_heap_termination_on_corruption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.5_L1_Ensure_Turn_off_shell_protocol_protected_mode_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.37.2_L2_Ensure_Turn_off_location_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.1_L2_Ensure_Allow_Extensions_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.2_L2_Ensure_Allow_InPrivate_Browsing_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.3_L1_Ensure_Configure_cookies_is_set_to_Enabled_Block_only_3rd-party_cookies_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.4_L1_Ensure_Configure_Password_Manager_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.5_L2_Ensure_Configure_Pop-up_Blocker_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.6_L1_Ensure_Configure_search_suggestions_in_Address_bar_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.7_L1_Ensure_Configure_SmartScreen_Filter_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.8_L2_Ensure_Prevent_access_to_the_aboutflags_page_in_Microsoft_Edge_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.9_L2_Ensure_Prevent_bypassing_SmartScreen_prompts_for_files_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.10_L2_Ensure_Prevent_bypassing_SmartScreen_prompts_for_sites_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.11_L2_Ensure_Prevent_using_Localhost_IP_address_for_WebRTC_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.47.1_L1_Ensure_Prevent_the_usage_of_OneDrive_for_file_storage_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.2.1_L2_Ensure_Restrict_Remote_Desktop_Services_users_to_a_single_Remote_Desktop_Services_session_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.1_L2_Ensure_Do_not_allow_COM_port_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.3_L2_Ensure_Do_not_allow_LPT_port_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.4_L2_Ensure_Do_not_allow_supported_Plug_and_Play_device_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.1_L1_Ensure_Always_prompt_for_password_upon_connection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.2_L1_Ensure_Require_secure_RPC_communication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.3_L1_Ensure_Set_client_connection_encryption_level_is_set_to_Enabled_High_Level" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.10.1_L2_Ensure_Set_time_limit_for_active_but_idle_Remote_Desktop_Services_sessions_is_set_to_Enabled_15_minutes_or_less" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.10.2_L2_Ensure_Set_time_limit_for_disconnected_sessions_is_set_to_Enabled_1_minute" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.1_L1_Ensure_Do_not_delete_temp_folders_upon_exit_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.2_L1_Ensure_Do_not_use_temporary_folders_per_session_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.53.1_L1_Ensure_Prevent_downloading_of_enclosures_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.2_L1_Ensure_Allow_Cortana_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.3_L1_Ensure_Allow_Cortana_above_lock_screen_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.4_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.5_L1_Ensure_Allow_search_and_Cortana_to_use_location_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.59.1_L2_Ensure_Turn_off_KMS_Client_Online_AVS_Validation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.1_L2_Ensure_Disable_all_apps_from_Windows_Store_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.2_L1_Ensure_Turn_off_Automatic_Download_and_Install_of_updates_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.3_L1_Ensure_Turn_off_the_offer_to_update_to_the_latest_version_of_Windows_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.4_L2_Ensure_Turn_off_the_Store_application_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.69.3.1_L2_Ensure_Join_Microsoft_MAPS_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.69.8.1_L2_Ensure_Configure_Watson_events_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.73.1_L2_Ensure_Allow_suggested_apps_in_Windows_Ink_Workspace_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.73.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.3_L2_Ensure_Prevent_Internet_Explorer_security_prompt_for_Windows_Installer_scripts_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.75.1_L1_Ensure_Sign-in_last_interactive_user_automatically_after_a_system-initiated_restart_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.2_L1_Ensure_Turn_on_PowerShell_Transcription_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.2_L2_Ensure_Allow_remote_server_management_through_WinRM_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.4_L1_Ensure_Disallow_WinRM_from_storing_RunAs_credentials_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.87.1_L2_Ensure_Allow_Remote_Shell_Access_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.1_L1_Ensure_Select_when_Feature_Updates_are_received_is_set_to_Enabled_Current_Branch_for_Business_180_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.2_L1_Ensure_Select_when_Quality_Updates_are_received_is_set_to_Enabled_0_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.2_L1_Ensure_Configure_Automatic_Updates_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.3_L1_Ensure_Configure_Automatic_Updates_Scheduled_install_day_is_set_to_0_-_Every_day" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.4_L1_Ensure_No_auto-restart_with_logged_on_users_for_scheduled_automatic_updates_installations_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.2_L1_Ensure_Force_specific_screen_saver_Screen_saver_executable_name_is_set_to_Enabled_scrnsave.scr" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.3_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.4_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.6.5.1.1_L2_Ensure_Turn_off_Help_Experience_Improvement_Program_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.1_L1_Ensure_Do_not_preserve_zone_information_in_file_attachments_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.1_L2_Ensure_Configure_Windows_spotlight_on_Lock_Screen_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.2_L1_Ensure_Do_not_suggest_third-party_content_in_Windows_spotlight_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.3_L2_Ensure_Turn_off_all_Windows_spotlight_features_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.26.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.39.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.43.2.1_L2_Ensure_Prevent_Codec_Download_is_set_to_Enabled" selected="true"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selector="DC"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selector="DC"/> </Profile> |
Level 2 - Member Server |
This profile extends the "Level 1 - Member Server" profile. Items in this profile exhibit one or more of the following characteristics:
Show
<Profile xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" id="xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Member_Server"> <title xml:lang="en">Level 2 - Member Server</title> <description xml:lang="en"> <xhtml:p>This profile extends the "Level 1 - Member Server" profile. Items in this profile exhibit one or more of the following characteristics:</xhtml:p> <xhtml:ul> <xhtml:li>are intended for environments or use cases where security is paramount;</xhtml:li> <xhtml:li>acts as defense in depth measure; and</xhtml:li> <xhtml:li>may negatively inhibit the utility or performance of the technology.</xhtml:li> </xhtml:ul> </description> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Ensure_Enforce_password_history_is_set_to_24_or_more_passwords" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_L1_Ensure_Maximum_password_age_is_set_to_60_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_L1_Ensure_Access_Credential_Manager_as_a_trusted_caller_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.3_L1_Ensure_Act_as_part_of_the_operating_system_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.5_L1_Ensure_Adjust_memory_quotas_for_a_process_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.8_L1_Ensure_Back_up_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.9_L1_Ensure_Change_the_system_time_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.10_L1_Ensure_Change_the_time_zone_is_set_to_Administrators_LOCAL_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.11_L1_Ensure_Create_a_pagefile_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.12_L1_Ensure_Create_a_token_object_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.13_L1_Ensure_Create_global_objects_is_set_to_Administrators_LOCAL_SERVICE_NETWORK_SERVICE_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.14_L1_Ensure_Create_permanent_shared_objects_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.15_L1_Configure_Create_symbolic_links" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.16_L1_Ensure_Debug_programs_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.18_L1_Ensure_Deny_log_on_as_a_batch_job_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.19_L1_Ensure_Deny_log_on_as_a_service_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.20_L1_Ensure_Deny_log_on_locally_to_include_Guests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.21_L1_Ensure_Deny_log_on_through_Remote_Desktop_Services_to_include_Guests_Local_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.23_L1_Ensure_Force_shutdown_from_a_remote_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.24_L1_Ensure_Generate_security_audits_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.26_L1_Ensure_Increase_scheduling_priority_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.27_L1_Ensure_Load_and_unload_device_drivers_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.28_L1_Ensure_Lock_pages_in_memory_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.30_L1_Configure_Manage_auditing_and_security_log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.31_L1_Ensure_Modify_an_object_label_is_set_to_No_One" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.32_L1_Ensure_Modify_firmware_environment_values_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.33_L1_Ensure_Perform_volume_maintenance_tasks_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.34_L1_Ensure_Profile_single_process_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.35_L1_Ensure_Profile_system_performance_is_set_to_Administrators_NT_SERVICEWdiServiceHost" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.36_L1_Ensure_Replace_a_process_level_token_is_set_to_LOCAL_SERVICE_NETWORK_SERVICE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.37_L1_Ensure_Restore_files_and_directories_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.38_L1_Ensure_Shut_down_the_system_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.2.40_L1_Ensure_Take_ownership_of_files_or_other_objects_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.1_L1_Ensure_Accounts_Administrator_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.2_L1_Ensure_Accounts_Block_Microsoft_accounts_is_set_to_Users_cant_add_or_log_on_with_Microsoft_accounts" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.3_L1_Ensure_Accounts_Guest_account_status_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.4_L1_Ensure_Accounts_Limit_local_account_use_of_blank_passwords_to_console_logon_only_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.5_L1_Configure_Accounts_Rename_administrator_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.1.6_L1_Configure_Accounts_Rename_guest_account" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.1_L1_Ensure_Audit_Force_audit_policy_subcategory_settings_Windows_Vista_or_later_to_override_audit_policy_category_settings_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.2.2_L1_Ensure_Audit_Shut_down_system_immediately_if_unable_to_log_security_audits_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.1_L1_Ensure_Devices_Allowed_to_format_and_eject_removable_media_is_set_to_Administrators" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.4.2_L1_Ensure_Devices_Prevent_users_from_installing_printer_drivers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.1_L1_Ensure_Domain_member_Digitally_encrypt_or_sign_secure_channel_data_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.2_L1_Ensure_Domain_member_Digitally_encrypt_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.3_L1_Ensure_Domain_member_Digitally_sign_secure_channel_data_when_possible_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.4_L1_Ensure_Domain_member_Disable_machine_account_password_changes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.5_L1_Ensure_Domain_member_Maximum_machine_account_password_age_is_set_to_30_or_fewer_days_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.6.6_L1_Ensure_Domain_member_Require_strong_Windows_2000_or_later_session_key_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.1_L1_Ensure_Interactive_logon_Do_not_display_last_user_name_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.2_L1_Ensure_Interactive_logon_Do_not_require_CTRLALTDEL_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.3_L1_Ensure_Interactive_logon_Machine_inactivity_limit_is_set_to_900_or_fewer_seconds_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.4_L1_Configure_Interactive_logon_Message_text_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.5_L1_Configure_Interactive_logon_Message_title_for_users_attempting_to_log_on" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.6_L2_Ensure_Interactive_logon_Number_of_previous_logons_to_cache_in_case_domain_controller_is_not_available_is_set_to_4_or_fewer_logons_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.7_L1_Ensure_Interactive_logon_Prompt_user_to_change_password_before_expiration_is_set_to_between_5_and_14_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.8_L1_Ensure_Interactive_logon_Require_Domain_Controller_Authentication_to_unlock_workstation_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.7.9_L1_Ensure_Interactive_logon_Smart_card_removal_behavior_is_set_to_Lock_Workstation_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.1_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.2_L1_Ensure_Microsoft_network_client_Digitally_sign_communications_if_server_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.8.3_L1_Ensure_Microsoft_network_client_Send_unencrypted_password_to_third-party_SMB_servers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.1_L1_Ensure_Microsoft_network_server_Amount_of_idle_time_required_before_suspending_session_is_set_to_15_or_fewer_minutes_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.2_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_always_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.3_L1_Ensure_Microsoft_network_server_Digitally_sign_communications_if_client_agrees_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.4_L1_Ensure_Microsoft_network_server_Disconnect_clients_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.9.5_L1_Ensure_Microsoft_network_server_Server_SPN_target_name_validation_level_is_set_to_Accept_if_provided_by_client_or_higher_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.1_L1_Ensure_Network_access_Allow_anonymous_SIDName_translation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.2_L1_Ensure_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.3_L1_Ensure_Network_access_Do_not_allow_anonymous_enumeration_of_SAM_accounts_and_shares_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.4_L2_Ensure_Network_access_Do_not_allow_storage_of_passwords_and_credentials_for_network_authentication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.5_L1_Ensure_Network_access_Let_Everyone_permissions_apply_to_anonymous_users_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.7_L1_Configure_Network_access_Remotely_accessible_registry_paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.8_L1_Configure_Network_access_Remotely_accessible_registry_paths_and_sub-paths" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.9_L1_Ensure_Network_access_Restrict_anonymous_access_to_Named_Pipes_and_Shares_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.10_L1_Ensure_Network_access_Restrict_clients_allowed_to_make_remote_calls_to_SAM_is_set_to_Administrators_Remote_Access_Allow_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.11_L1_Ensure_Network_access_Shares_that_can_be_accessed_anonymously_is_set_to_None" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.12_L1_Ensure_Network_access_Sharing_and_security_model_for_local_accounts_is_set_to_Classic_-_local_users_authenticate_as_themselves" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.1_L1_Ensure_Network_security_Allow_Local_System_to_use_computer_identity_for_NTLM_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.2_L1_Ensure_Network_security_Allow_LocalSystem_NULL_session_fallback_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.3_L1_Ensure_Network_Security_Allow_PKU2U_authentication_requests_to_this_computer_to_use_online_identities_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.4_L1_Ensure_Network_security_Configure_encryption_types_allowed_for_Kerberos_is_set_to_RC4_HMAC_MD5_AES128_HMAC_SHA1_AES256_HMAC_SHA1_Future_encryption_types" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.5_L1_Ensure_Network_security_Do_not_store_LAN_Manager_hash_value_on_next_password_change_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.6_L1_Ensure_Network_security_Force_logoff_when_logon_hours_expire_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.7_L1_Ensure_Network_security_LAN_Manager_authentication_level_is_set_to_Send_NTLMv2_response_only._Refuse_LM__NTLM" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.8_L1_Ensure_Network_security_LDAP_client_signing_requirements_is_set_to_Negotiate_signing_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.9_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_clients_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.11.10_L1_Ensure_Network_security_Minimum_session_security_for_NTLM_SSP_based_including_secure_RPC_servers_is_set_to_Require_NTLMv2_session_security_Require_128-bit_encryption" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.13.1_L1_Ensure_Shutdown_Allow_system_to_be_shut_down_without_having_to_log_on_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.1_L1_Ensure_System_objects_Require_case_insensitivity_for_non-Windows_subsystems_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.15.2_L1_Ensure_System_objects_Strengthen_default_permissions_of_internal_system_objects_e.g._Symbolic_Links_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.1_L1_Ensure_User_Account_Control_Admin_Approval_Mode_for_the_Built-in_Administrator_account_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.2_L1_Ensure_User_Account_Control_Allow_UIAccess_applications_to_prompt_for_elevation_without_using_the_secure_desktop_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.3_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_administrators_in_Admin_Approval_Mode_is_set_to_Prompt_for_consent_on_the_secure_desktop" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.4_L1_Ensure_User_Account_Control_Behavior_of_the_elevation_prompt_for_standard_users_is_set_to_Automatically_deny_elevation_requests" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.5_L1_Ensure_User_Account_Control_Detect_application_installations_and_prompt_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.6_L1_Ensure_User_Account_Control_Only_elevate_UIAccess_applications_that_are_installed_in_secure_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.7_L1_Ensure_User_Account_Control_Run_all_administrators_in_Admin_Approval_Mode_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.8_L1_Ensure_User_Account_Control_Switch_to_the_secure_desktop_when_prompting_for_elevation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_2.3.17.9_L1_Ensure_User_Account_Control_Virtualize_file_and_registry_write_failures_to_per-user_locations_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.1_L1_Ensure_Windows_Firewall_Domain_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.2_L1_Ensure_Windows_Firewall_Domain_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.3_L1_Ensure_Windows_Firewall_Domain_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.4_L1_Ensure_Windows_Firewall_Domain_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.5_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.6_L1_Ensure_Windows_Firewall_Domain_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.7_L1_Ensure_Windows_Firewall_Domain_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewalldomainfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.8_L1_Ensure_Windows_Firewall_Domain_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.9_L1_Ensure_Windows_Firewall_Domain_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.1.10_L1_Ensure_Windows_Firewall_Domain_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.1_L1_Ensure_Windows_Firewall_Private_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.2_L1_Ensure_Windows_Firewall_Private_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.3_L1_Ensure_Windows_Firewall_Private_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.4_L1_Ensure_Windows_Firewall_Private_Settings_Display_a_notification_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.5_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_firewall_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.6_L1_Ensure_Windows_Firewall_Private_Settings_Apply_local_connection_security_rules_is_set_to_Yes_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.7_L1_Ensure_Windows_Firewall_Private_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallprivatefw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.8_L1_Ensure_Windows_Firewall_Private_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.9_L1_Ensure_Windows_Firewall_Private_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.2.10_L1_Ensure_Windows_Firewall_Private_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.1_L1_Ensure_Windows_Firewall_Public_Firewall_state_is_set_to_On_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.2_L1_Ensure_Windows_Firewall_Public_Inbound_connections_is_set_to_Block_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.3_L1_Ensure_Windows_Firewall_Public_Outbound_connections_is_set_to_Allow_default" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.4_L1_Ensure_Windows_Firewall_Public_Settings_Display_a_notification_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.5_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_firewall_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.6_L1_Ensure_Windows_Firewall_Public_Settings_Apply_local_connection_security_rules_is_set_to_No" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.7_L1_Ensure_Windows_Firewall_Public_Logging_Name_is_set_to_SYSTEMROOTSystem32logfilesfirewallpublicfw.log" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.8_L1_Ensure_Windows_Firewall_Public_Logging_Size_limit_KB_is_set_to_16384_KB_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.9_L1_Ensure_Windows_Firewall_Public_Logging_Log_dropped_packets_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_9.3.10_L1_Ensure_Windows_Firewall_Public_Logging_Log_successful_connections_is_set_to_Yes" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.1.1_L1_Ensure_Audit_Credential_Validation_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.1_L1_Ensure_Audit_Application_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.2_L1_Ensure_Audit_Computer_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.4_L1_Ensure_Audit_Other_Account_Management_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.5_L1_Ensure_Audit_Security_Group_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.2.6_L1_Ensure_Audit_User_Account_Management_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.1_L1_Ensure_Audit_PNP_Activity_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.3.2_L1_Ensure_Audit_Process_Creation_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.1_L1_Ensure_Audit_Account_Lockout_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.2_L1_Ensure_Audit_Group_Membership_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.3_L1_Ensure_Audit_Logoff_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.4_L1_Ensure_Audit_Logon_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.5_L1_Ensure_Audit_Other_LogonLogoff_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.5.6_L1_Ensure_Audit_Special_Logon_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.6.1_L1_Ensure_Audit_Removable_Storage_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.1_L1_Ensure_Audit_Audit_Policy_Change_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.2_L1_Ensure_Audit_Authentication_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.7.3_L1_Ensure_Audit_Authorization_Policy_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.8.1_L1_Ensure_Audit_Sensitive_Privilege_Use_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.1_L1_Ensure_Audit_IPsec_Driver_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.2_L1_Ensure_Audit_Other_System_Events_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.3_L1_Ensure_Audit_Security_State_Change_is_set_to_Success" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.4_L1_Ensure_Audit_Security_System_Extension_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_17.9.5_L1_Ensure_Audit_System_Integrity_is_set_to_Success_and_Failure" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.1_L1_Ensure_Prevent_enabling_lock_screen_camera_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.1.2_L1_Ensure_Prevent_enabling_lock_screen_slide_show_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.1.2.1_L1_Ensure_Allow_Input_Personalization_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.1_L1_Ensure_LAPS_AdmPwd_GPO_Extension__CSE_is_installed_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.2_L1_Ensure_Do_not_allow_password_expiration_time_longer_than_required_by_policy_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.3_L1_Ensure_Enable_Local_Admin_Password_Management_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.4_L1_Ensure_Password_Settings_Password_Complexity_is_set_to_Enabled_Large_letters__small_letters__numbers__special_characters_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.5_L1_Ensure_Password_Settings_Password_Length_is_set_to_Enabled_15_or_more_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.2.6_L1_Ensure_Password_Settings_Password_Age_Days_is_set_to_Enabled_30_or_fewer_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.1_L1_Ensure_MSS_AutoAdminLogon_Enable_Automatic_Logon_not_recommended_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.2_L1_Ensure_MSS_DisableIPSourceRouting_IPv6_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.3_L1_Ensure_MSS_DisableIPSourceRouting_IP_source_routing_protection_level_protects_against_packet_spoofing_is_set_to_Enabled_Highest_protection_source_routing_is_completely_disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.4_L1_Ensure_MSS_EnableICMPRedirect_Allow_ICMP_redirects_to_override_OSPF_generated_routes_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.5_L2_Ensure_MSS_KeepAliveTime_How_often_keep-alive_packets_are_sent_in_milliseconds_is_set_to_Enabled_300000_or_5_minutes_recommended" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.6_L1_Ensure_MSS_NoNameReleaseOnDemand_Allow_the_computer_to_ignore_NetBIOS_name_release_requests_except_from_WINS_servers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.7_L2_Ensure_MSS_PerformRouterDiscovery_Allow_IRDP_to_detect_and_configure_Default_Gateway_addresses_could_lead_to_DoS_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.8_L1_Ensure_MSS_SafeDllSearchMode_Enable_Safe_DLL_search_mode_recommended_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.9_L1_Ensure_MSS_ScreenSaverGracePeriod_The_time_in_seconds_before_the_screen_saver_grace_period_expires_0_recommended_is_set_to_Enabled_5_or_fewer_seconds" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.10_L2_Ensure_MSS_TcpMaxDataRetransmissions_IPv6_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.11_L2_Ensure_MSS_TcpMaxDataRetransmissions_How_many_times_unacknowledged_data_is_retransmitted_is_set_to_Enabled_3" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.3.12_L1_Ensure_MSS_WarningLevel_Percentage_threshold_for_the_security_event_log_at_which_the_system_will_generate_a_warning_is_set_to_Enabled_90_or_less" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.4.1_L1_Set_NetBIOS_node_type_to_P-node_Ensure_NetBT_Parameter_NodeType_is_set_to_0x2_2_MS_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.4.2_L1_Ensure_Turn_off_multicast_name_resolution_is_set_to_Enabled_MS_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.5.1_L2_Ensure_Enable_Font_Providers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.8.1_L1_Ensure_Enable_insecure_guest_logons_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.9.1_L2_Ensure_Turn_on_Mapper_IO_LLTDIO_driver_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.9.2_L2_Ensure_Turn_on_Responder_RSPNDR_driver_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.10.2_L2_Ensure_Turn_off_Microsoft_Peer-to-Peer_Networking_Services_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.2_L1_Ensure_Prohibit_installation_and_configuration_of_Network_Bridge_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.3_L1_Ensure_Prohibit_use_of_Internet_Connection_Sharing_on_your_DNS_domain_network_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.11.4_L1_Ensure_Require_domain_users_to_elevate_when_setting_a_networks_location_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.14.1_L1_Ensure_Hardened_UNC_Paths_is_set_to_Enabled_with_Require_Mutual_Authentication_and_Require_Integrity_set_for_all_NETLOGON_and_SYSVOL_shares" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.19.2.1_L2_Disable_IPv6_Ensure_TCPIP6_Parameter_DisabledComponents_is_set_to_0xff_255" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.20.1_L2_Ensure_Configuration_of_wireless_settings_using_Windows_Connect_Now_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.20.2_L2_Ensure_Prohibit_access_of_the_Windows_Connect_Now_wizards_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.21.1_L1_Ensure_Minimize_the_number_of_simultaneous_connections_to_the_Internet_or_a_Windows_Domain_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.4.21.2_L2_Ensure_Prohibit_connection_to_non-domain_networks_when_connected_to_domain_authenticated_network_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.6.1_L1_Ensure_Apply_UAC_restrictions_to_local_accounts_on_network_logons_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.6.2_L1_Ensure_WDigest_Authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.3.1_L1_Ensure_Include_command_line_in_process_creation_events_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.12.1_L1_Ensure_Boot-Start_Driver_Initialization_Policy_is_set_to_Enabled_Good_unknown_and_bad_but_critical" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.2_L1_Ensure_Configure_registry_policy_processing_Do_not_apply_during_periodic_background_processing_is_set_to_Enabled_FALSE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.3_L1_Ensure_Configure_registry_policy_processing_Process_even_if_the_Group_Policy_objects_have_not_changed_is_set_to_Enabled_TRUE" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.4__L1_Ensure_Continue_experiences_on_this_device_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.19.5_L1_Ensure_Turn_off_background_refresh_of_Group_Policy_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.1_L2_Ensure_Turn_off_access_to_the_Store_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.2_L2_Ensure_Turn_off_downloading_of_print_drivers_over_HTTP_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.3_L2_Ensure_Turn_off_handwriting_personalization_data_sharing_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.4_L2_Ensure_Turn_off_handwriting_recognition_error_reporting_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.5_L2_Ensure_Turn_off_Internet_Connection_Wizard_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.6_L2_Ensure_Turn_off_Internet_download_for_Web_publishing_and_online_ordering_wizards_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.7_L2_Ensure_Turn_off_printing_over_HTTP_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.8_L2_Ensure_Turn_off_Registration_if_URL_connection_is_referring_to_Microsoft.com_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.9_L2_Ensure_Turn_off_Search_Companion_content_file_updates_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.10_L2_Ensure_Turn_off_the_Order_Prints_picture_task_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.11_L2_Ensure_Turn_off_the_Publish_to_Web_task_for_files_and_folders_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.12_L2_Ensure_Turn_off_the_Windows_Messenger_Customer_Experience_Improvement_Program_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.13_L2_Ensure_Turn_off_Windows_Customer_Experience_Improvement_Program_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.20.1.14_L2_Ensure_Turn_off_Windows_Error_Reporting_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.23.1_L2_Ensure_Support_device_authentication_using_certificate_is_set_to_Enabled_Automatic" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.24.1_L2_Ensure_Disallow_copying_of_user_input_methods_to_the_system_account_for_sign-in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.1_L1_Ensure_Block_user_from_showing_account_details_on_sign-in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.2_L1_Ensure_Do_not_display_network_selection_UI_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.3_L1_Ensure_Do_not_enumerate_connected_users_on_domain-joined_computers_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.4_L1_Ensure_Enumerate_local_users_on_domain-joined_computers_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.5_L1_Ensure_Turn_off_app_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.25.6_L1_Ensure_Turn_on_convenience_PIN_sign-in_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.26.1_L1_Ensure_Untrusted_Font_Blocking_is_set_to_Enabled_Block_untrusted_fonts_and_log_events" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.1_L2_Ensure_Allow_network_connectivity_during_connected-standby_on_battery_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.2_L2_Ensure_Allow_network_connectivity_during_connected-standby_plugged_in_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.3_L2_Ensure_Require_a_password_when_a_computer_wakes_on_battery_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.29.5.4_L2_Ensure_Require_a_password_when_a_computer_wakes_plugged_in_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.1_L1_Ensure_Configure_Offer_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.31.2_L1_Ensure_Configure_Solicited_Remote_Assistance_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.32.1_L1_Ensure_Enable_RPC_Endpoint_Mapper_Client_Authentication_is_set_to_Enabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.32.2_L2_Ensure_Restrict_Unauthenticated_RPC_clients_is_set_to_Enabled_Authenticated_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.39.5.1_L2_Ensure_Microsoft_Support_Diagnostic_Tool_Turn_on_MSDT_interactive_communication_with_support_provider_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.39.11.1_L2_Ensure_EnableDisable_PerfTrack_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.41.1_L2_Ensure_Turn_off_the_advertising_ID_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.44.1.1_L2_Ensure_Enable_Windows_NTP_Client_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.8.44.1.2_L2_Ensure_Enable_Windows_NTP_Server_is_set_to_Disabled_MS_only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.4.1_L2_Ensure_Allow_a_Windows_app_to_share_application_data_between_users_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.5.1_L2_Ensure_Let_Windows_apps__is_set_to_Enabled_Force_Deny" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.6.1_L1_Ensure_Allow_Microsoft_accounts_to_be_optional_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.6.2_L2_Ensure_Block_launching_Windows_Store_apps_with_Windows_Runtime_API_access_from_hosted_content._is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.1_L1_Ensure_Disallow_Autoplay_for_non-volume_devices_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.2_L1_Ensure_Set_the_default_behavior_for_AutoRun_is_set_to_Enabled_Do_not_execute_any_autorun_commands" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.8.3_L1_Ensure_Turn_off_Autoplay_is_set_to_Enabled_All_drives" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.10.1.1_L1_Ensure_Use_enhanced_anti-spoofing_when_available_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.12.1_L2_Ensure_Allow_Use_of_Camera_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.13.1_L1_Ensure_Turn_off_Microsoft_consumer_experiences_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.14.1_L1_Ensure_Require_pin_for_pairing_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.1_L1_Ensure_Do_not_display_the_password_reveal_button_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.15.2_L1_Ensure_Enumerate_administrator_accounts_on_elevation_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.1_L1_Ensure_Allow_Telemetry_is_set_to_Enabled_0_-_Security_Enterprise_Only" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.2_L1_Ensure_Disable_pre-release_features_or_settings_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.3_L1_Ensure_Do_not_show_feedback_notifications_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.16.4_L1_Ensure_Toggle_user_control_over_Insider_builds_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.1_L1_Ensure_Application_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.1.2_L1_Ensure_Application_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.1_L1_Ensure_Security_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.2.2_L1_Ensure_Security_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_196608_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.1_L1_Ensure_Setup_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.3.2_L1_Ensure_Setup_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.1_L1_Ensure_System_Control_Event_Log_behavior_when_the_log_file_reaches_its_maximum_size_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.26.4.2_L1_Ensure_System_Specify_the_maximum_log_file_size_KB_is_set_to_Enabled_32768_or_greater" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.2_L1_Ensure_Configure_Windows_SmartScreen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.3_L1_Ensure_Turn_off_Data_Execution_Prevention_for_Explorer_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.4_L1_Ensure_Turn_off_heap_termination_on_corruption_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.30.5_L1_Ensure_Turn_off_shell_protocol_protected_mode_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.37.2_L2_Ensure_Turn_off_location_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.1_L2_Ensure_Allow_Extensions_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.2_L2_Ensure_Allow_InPrivate_Browsing_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.3_L1_Ensure_Configure_cookies_is_set_to_Enabled_Block_only_3rd-party_cookies_or_higher" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.4_L1_Ensure_Configure_Password_Manager_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.5_L2_Ensure_Configure_Pop-up_Blocker_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.6_L1_Ensure_Configure_search_suggestions_in_Address_bar_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.7_L1_Ensure_Configure_SmartScreen_Filter_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.8_L2_Ensure_Prevent_access_to_the_aboutflags_page_in_Microsoft_Edge_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.9_L2_Ensure_Prevent_bypassing_SmartScreen_prompts_for_files_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.10_L2_Ensure_Prevent_bypassing_SmartScreen_prompts_for_sites_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.41.11_L2_Ensure_Prevent_using_Localhost_IP_address_for_WebRTC_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.47.1_L1_Ensure_Prevent_the_usage_of_OneDrive_for_file_storage_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.2.2_L1_Ensure_Do_not_allow_passwords_to_be_saved_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.2.1_L2_Ensure_Restrict_Remote_Desktop_Services_users_to_a_single_Remote_Desktop_Services_session_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.1_L2_Ensure_Do_not_allow_COM_port_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.2_L1_Ensure_Do_not_allow_drive_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.3_L2_Ensure_Do_not_allow_LPT_port_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.3.4_L2_Ensure_Do_not_allow_supported_Plug_and_Play_device_redirection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.1_L1_Ensure_Always_prompt_for_password_upon_connection_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.2_L1_Ensure_Require_secure_RPC_communication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.9.3_L1_Ensure_Set_client_connection_encryption_level_is_set_to_Enabled_High_Level" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.10.1_L2_Ensure_Set_time_limit_for_active_but_idle_Remote_Desktop_Services_sessions_is_set_to_Enabled_15_minutes_or_less" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.10.2_L2_Ensure_Set_time_limit_for_disconnected_sessions_is_set_to_Enabled_1_minute" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.1_L1_Ensure_Do_not_delete_temp_folders_upon_exit_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.52.3.11.2_L1_Ensure_Do_not_use_temporary_folders_per_session_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.53.1_L1_Ensure_Prevent_downloading_of_enclosures_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.2_L1_Ensure_Allow_Cortana_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.3_L1_Ensure_Allow_Cortana_above_lock_screen_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.4_L1_Ensure_Allow_indexing_of_encrypted_files_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.54.5_L1_Ensure_Allow_search_and_Cortana_to_use_location_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.59.1_L2_Ensure_Turn_off_KMS_Client_Online_AVS_Validation_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.1_L2_Ensure_Disable_all_apps_from_Windows_Store_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.2_L1_Ensure_Turn_off_Automatic_Download_and_Install_of_updates_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.3_L1_Ensure_Turn_off_the_offer_to_update_to_the_latest_version_of_Windows_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.61.4_L2_Ensure_Turn_off_the_Store_application_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.69.3.1_L2_Ensure_Join_Microsoft_MAPS_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.69.8.1_L2_Ensure_Configure_Watson_events_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.73.1_L2_Ensure_Allow_suggested_apps_in_Windows_Ink_Workspace_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.73.2_L1_Ensure_Allow_Windows_Ink_Workspace_is_set_to_Enabled_On_but_disallow_access_above_lock_OR_Disabled_but_not_Enabled_On" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.1_L1_Ensure_Allow_user_control_over_installs_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.2_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.74.3_L2_Ensure_Prevent_Internet_Explorer_security_prompt_for_Windows_Installer_scripts_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.75.1_L1_Ensure_Sign-in_last_interactive_user_automatically_after_a_system-initiated_restart_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.1_L1_Ensure_Turn_on_PowerShell_Script_Block_Logging_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.84.2_L1_Ensure_Turn_on_PowerShell_Transcription_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.2_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.1.3_L1_Ensure_Disallow_Digest_authentication_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.1_L1_Ensure_Allow_Basic_authentication_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.2_L2_Ensure_Allow_remote_server_management_through_WinRM_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.3_L1_Ensure_Allow_unencrypted_traffic_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.86.2.4_L1_Ensure_Disallow_WinRM_from_storing_RunAs_credentials_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.87.1_L2_Ensure_Allow_Remote_Shell_Access_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.1_L1_Ensure_Select_when_Feature_Updates_are_received_is_set_to_Enabled_Current_Branch_for_Business_180_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.1.2_L1_Ensure_Select_when_Quality_Updates_are_received_is_set_to_Enabled_0_days" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.2_L1_Ensure_Configure_Automatic_Updates_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.3_L1_Ensure_Configure_Automatic_Updates_Scheduled_install_day_is_set_to_0_-_Every_day" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_18.9.90.4_L1_Ensure_No_auto-restart_with_logged_on_users_for_scheduled_automatic_updates_installations_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.1_L1_Ensure_Enable_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.2_L1_Ensure_Force_specific_screen_saver_Screen_saver_executable_name_is_set_to_Enabled_scrnsave.scr" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.3_L1_Ensure_Password_protect_the_screen_saver_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.1.3.4_L1_Ensure_Screen_saver_timeout_is_set_to_Enabled_900_seconds_or_fewer_but_not_0" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.5.1.1_L1_Ensure_Turn_off_toast_notifications_on_the_lock_screen_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.6.5.1.1_L2_Ensure_Turn_off_Help_Experience_Improvement_Program_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.1_L1_Ensure_Do_not_preserve_zone_information_in_file_attachments_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.4.2_L1_Ensure_Notify_antivirus_programs_when_opening_attachments_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.1_L2_Ensure_Configure_Windows_spotlight_on_Lock_Screen_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.2_L1_Ensure_Do_not_suggest_third-party_content_in_Windows_spotlight_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.7.3_L2_Ensure_Turn_off_all_Windows_spotlight_features_is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.26.1_L1_Ensure_Prevent_users_from_sharing_files_within_their_profile._is_set_to_Enabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.39.1_L1_Ensure_Always_install_with_elevated_privileges_is_set_to_Disabled" selected="true"/> <select idref="xccdf_org.cisecurity.benchmarks_rule_19.7.43.2.1_L2_Ensure_Prevent_Codec_Download_is_set_to_Enabled" selected="true"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.2_L1_Configure_Access_this_computer_from_the_network" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.6_L1_Configure_Allow_log_on_locally" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.7_L1_Configure_Allow_log_on_through_Remote_Desktop_Services" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.17_L1_Configure_Deny_access_to_this_computer_from_the_network" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.22_L1_Configure_Enable_computer_and_user_accounts_to_be_trusted_for_delegation" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.2.25_L1_Configure_Impersonate_a_client_after_authentication" selector="MS"/> <refine-rule idref="xccdf_org.cisecurity.benchmarks_rule_2.3.10.6_L1_Configure_Network_access_Named_Pipes_that_can_be_accessed_anonymously" selector="MS"/> </Profile> |
This section contains recommendations for account policies.
This section contains recommendations for password policy.
This policy setting determines the number of renewed, unique passwords that have to be associated with a user account before you can reuse an old password. The value for this policy setting must be between 0 and 24 passwords. The default value for Windows Vista is 0 passwords, but the default setting in a domain is 24 passwords. To maintain the effectiveness of this policy setting, use the Minimum password age setting to prevent users from repeatedly changing their password.
The recommended state for this setting is: 24 or more password(s).
The longer a user uses the same password, the greater the chance that an attacker can determine the password through brute force attacks. Also, any accounts that may have been compromised will remain exploitable for as long as the password is left unchanged. If password changes are required but password reuse is not prevented, or if users continually reuse a small number of passwords, the effectiveness of a good password policy is greatly reduced.
If you specify a low number for this policy setting, users will be able to use the same small number of passwords repeatedly. If you do not also configure the Minimum password age setting, users might repeatedly change their passwords until they can reuse their original password.
To establish the recommended configuration via GP, set the following UI path to 24 or more password(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Enforce password history
Impact:
The major impact of this configuration is that users must create a new password every time they are required to change their old one. If users are required to change their passwords to new unique values, there is an increased risk of users who write their passwords somewhere so that they do not forget them. Another risk is that users may create passwords that change incrementally (for example, password01, password02, and so on) to facilitate memorization but make them easier to guess. Also, an excessively low value for the Minimum password age setting will likely increase administrative overhead, because users who forget their passwords might ask the help desk to reset them frequently.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.1_L1_Ensure_Enforce_password_history_is_set_to_24_or_more_passwords" role="full" severity="unknown" time="2017-05-08T21:09:45.969Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/5" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-37166-6</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:45.969Z" start-time="2017-05-08T21:09:45.516Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Password Hist Len' is 'Greater Than Or Equal' to '24'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10001" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10001" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10001"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="24" dt="int" ev="24" name="password_hist_len" op="greater than or equal" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1002" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.1.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1002"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-37166-6 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.5 |
Label: | Ensure Workstation Screen Locks Are Configured |
Description: | Configure screen locks on systems to limit access to unattended workstations. |
This policy setting defines how long a user can use their password before it expires.
Values for this policy setting range from 0 to 999 days. If you set the value to 0, the password will never expire.
Because attackers can crack passwords, the more frequently you change the password the less opportunity an attacker has to use a cracked password. However, the lower this value is set, the higher the potential for an increase in calls to help desk support due to users having to change their password or forgetting which password is current.
The recommended state for this setting is 60 or fewer days, but not 0.
The longer a password exists the higher the likelihood that it will be compromised by a brute force attack, by an attacker gaining general knowledge about the user, or by the user sharing the password. Configuring the Maximum password age setting to 0 so that users are never required to change their passwords is a major security risk because that allows a compromised password to be used by the malicious user for as long as the valid user is authorized access.
To establish the recommended configuration via GP, set the following UI path to 60 or fewer days, but not 0:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Maximum password age
Impact:
If the Maximum password age setting is too low, users are required to change their passwords very often. Such a configuration can reduce security in the organization, because users might write their passwords in an insecure location or lose them. If the value for this policy setting is too high, the level of security within an organization is reduced because it allows potential attackers more time in which to discover user passwords or to use compromised accounts.
All of the following tests or sub-groups must pass: | ||||||||||||||||
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.2_L1_Ensure_Maximum_password_age_is_set_to_60_or_fewer_days_but_not_0" role="full" severity="unknown" time="2017-05-08T21:09:45.985Z" version="1" weight="1.0"> <result>fail</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/5" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-37167-4</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:45.985Z" start-time="2017-05-08T21:09:45.985Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Max Passwd Age' is 'Greater Than' to '0'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10003" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10003" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10003"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="15552000" dt="int" ev="0" name="max_passwd_age" op="greater than" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Max Passwd Age' is 'Less Than Or Equal' to '5184000'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10002" result="false" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10002" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10002"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="15552000" dt="int" ev="5184000" name="max_passwd_age" op="less than or equal" result="false"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1003" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.2.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1003"/> </check> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1004" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.2.2_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1004"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-37167-4 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.5 |
Label: | Ensure Workstation Screen Locks Are Configured |
Description: | Configure screen locks on systems to limit access to unattended workstations. |
This policy setting determines the number of days that you must use a password before you can change it. The range of values for this policy setting is between 1 and 999 days. (You may also set the value to 0 to allow immediate password changes.) The default value for this setting is 0 days.
The recommended state for this setting is: 1 or more day(s).
Users may have favorite passwords that they like to use because they are easy to remember and they believe that their password choice is secure from compromise. Unfortunately, passwords are compromised and if an attacker is targeting a specific individual user account, with foreknowledge of data about that user, reuse of old passwords can cause a security breach. To address password reuse a combination of security settings is required. Using this policy setting with the Enforce password history setting prevents the easy reuse of old passwords. For example, if you configure the Enforce password history setting to ensure that users cannot reuse any of their last 12 passwords, they could change their password 13 times in a few minutes and reuse the password they started with, unless you also configure the Minimum password age setting to a number that is greater than 0. You must configure this policy setting to a number that is greater than 0 for the Enforce password history setting to be effective.
To establish the recommended configuration via GP, set the following UI path to 1 or more day(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password age
Impact:
If an administrator sets a password for a user but wants that user to change the password when the user first logs on, the administrator must select the User must change password at next logon check box, or the user will not be able to change the password until the next day.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.3_L1_Ensure_Minimum_password_age_is_set_to_1_or_more_days" role="full" severity="unknown" time="2017-05-08T21:09:46.000Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/5" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-37073-4</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.000Z" start-time="2017-05-08T21:09:45.985Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Min Passwd Age' is 'Greater Than Or Equal' to '86400'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10004" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10004" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10004"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="86400" dt="int" ev="86400" name="min_passwd_age" op="greater than or equal" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1005" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.3.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1005"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-37073-4 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.5 |
Label: | Ensure Workstation Screen Locks Are Configured |
Description: | Configure screen locks on systems to limit access to unattended workstations. |
This policy setting determines the least number of characters that make up a password for a user account. There are many different theories about how to determine the best password length for an organization, but perhaps "pass phrase" is a better term than "password." In Microsoft Windows 2000 or later, pass phrases can be quite long and can include spaces. Therefore, a phrase such as "I want to drink a $5 milkshake" is a valid pass phrase; it is a considerably stronger password than an 8 or 10 character string of random numbers and letters, and yet is easier to remember. Users must be educated about the proper selection and maintenance of passwords, especially with regard to password length. In enterprise environments, the ideal value for the Minimum password length setting is 14 characters, however you should adjust this value to meet your organization's business requirements.
The recommended state for this setting is: 14 or more character(s).
Types of password attacks include dictionary attacks (which attempt to use common words and phrases) and brute force attacks (which try every possible combination of characters). Also, attackers sometimes try to obtain the account database so they can use tools to discover the accounts and passwords.
To establish the recommended configuration via GP, set the following UI path to 14 or more character(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Minimum password length
Impact:
Requirements for extremely long passwords can actually decrease the security of an organization, because users might leave the information in an insecure location or lose it. If very long passwords are required, mistyped passwords could cause account lockouts and increase the volume of help desk calls. If your organization has issues with forgotten passwords due to password length requirements, consider teaching your users about pass phrases, which are often easier to remember and, due to the larger number of character combinations, much harder to discover.
Note: Older versions of Windows such as Windows 98 and Windows NT 4.0 do not support passwords that are longer than 14 characters. Computers that run these older operating systems are unable to authenticate with computers or domains that use accounts that require long passwords.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.4_L1_Ensure_Minimum_password_length_is_set_to_14_or_more_characters" role="full" severity="unknown" time="2017-05-08T21:09:46.000Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/5" system="http://cisecurity.org/20-cc/v6.1"/> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/5/subcontrol/7" system="http://cisecurity.org/20-cc/v6.1"/> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/12" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-36534-6</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.000Z" start-time="2017-05-08T21:09:46.000Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Min Passwd Len' is 'Greater Than Or Equal' to '14'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10005" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10005" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10005"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="14" dt="int" ev="14" name="min_passwd_len" op="greater than or equal" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1006" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.4.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1006"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-36534-6 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.5 |
Label: | Ensure Workstation Screen Locks Are Configured |
Description: | Configure screen locks on systems to limit access to unattended workstations. |
Critical Control Information | |
---|---|
Control: | The processes and tools used to track/control/prevent/correct the use, assignment, and configuration of administrative privileges on computers, networks, and applications. |
Subcontrol: | 5.7 |
Label: | User Accounts Shall Use Long Passwords |
Description: | Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters). |
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.12 |
Label: | Use Long Passwords For All User Accounts |
Description: | Where multi-factor authentication is not supported, user accounts shall be required to use long passwords on the system (longer than 14 characters). |
This policy setting checks all new passwords to ensure that they meet basic requirements for strong passwords.
When this policy is enabled, passwords must meet the following minimum requirements: - Not contain the user's account name or parts of the user's full name that exceed two consecutive characters - Be at least six characters in length - Contain characters from three of the following four categories: - English uppercase characters (A through Z) - English lowercase characters (a through z) - Base 10 digits (0 through 9) - Non-alphabetic characters (for example, !, $, #, %) - A catch-all category of any Unicode character that does not fall under the previous four categories. This fifth category can be regionally specific.
Each additional character in a password increases its complexity exponentially. For instance, a seven-character, all lower-case alphabetic password would have 267 (approximately 8 x 109 or 8 billion) possible combinations. At 1,000,000 attempts per second (a capability of many password-cracking utilities), it would only take 133 minutes to crack. A seven-character alphabetic password with case sensitivity has 527 combinations. A seven-character case-sensitive alphanumeric password without punctuation has 627 combinations. An eight-character password has 268 (or 2 x 1011) possible combinations. Although this might seem to be a large number, at 1,000,000 attempts per second it would take only 59 hours to try all possible passwords. Remember, these times will significantly increase for passwords that use ALT characters and other special keyboard characters such as "!" or "@". Proper use of the password settings can help make it difficult to mount a brute force attack.
The recommended state for this setting is: Enabled.
Passwords that contain only alphanumeric characters are extremely easy to discover with several publicly available tools.
To establish the recommended configuration via GP, set the following UI path to Enabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Password must meet complexity requirements
Impact:
If the default password complexity configuration is retained, additional help desk calls for locked-out accounts could occur because users might not be accustomed to passwords that contain non-alphabetic characters. However, all users should be able to comply with the complexity requirement with minimal difficulty.
If your organization has more stringent security requirements, you can create a custom version of the Passfilt.dll file that allows the use of arbitrarily complex password strength rules. For example, a custom password filter might require the use of non-upper row characters. (Upper row characters are those that require you to hold down the SHIFT key and press any of the digits between 1 and 0.) A custom password filter might also perform a dictionary check to verify that the proposed password does not contain common dictionary words or fragments.
Also, the use of ALT key character combinations can greatly enhance the complexity of a password. However, such stringent password requirements can result in unhappy users and an extremely busy help desk. Alternatively, your organization could consider a requirement for all administrator passwords to use ALT characters in the 01280159 range. (ALT characters outside of this range can represent standard alphanumeric characters that would not add additional complexity to the password.)
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.5_L1_Ensure_Password_must_meet_complexity_requirements_is_set_to_Enabled" role="full" severity="unknown" time="2017-05-08T21:09:46.016Z" version="1" weight="1.0"> <result>unknown</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/5" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-37063-5</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.016Z" start-time="2017-05-08T21:09:46.000Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Password Complexity' is 'Equals' to '1'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10006" result="unknown" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10006" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10006"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="Unknown" dt="boolean" ev="1" name="password_complexity" op="equals" result="unknown"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1007" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.5.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1007"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-37063-5 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.5 |
Label: | Ensure Workstation Screen Locks Are Configured |
Description: | Configure screen locks on systems to limit access to unattended workstations. |
This policy setting determines whether the operating system stores passwords in a way that uses reversible encryption, which provides support for application protocols that require knowledge of the user's password for authentication purposes. Passwords that are stored with reversible encryption are essentially the same as plaintext versions of the passwords.
The recommended state for this setting is: Disabled.
Enabling this policy setting allows the operating system to store passwords in a weaker format that is much more susceptible to compromise and weakens your system security.
To establish the recommended configuration via GP, set the following UI path to Disabled:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Password Policy\Store passwords using reversible encryption
Impact:
If your organization uses either the CHAP authentication protocol through remote access or IAS services or Digest Authentication in IIS, you must configure this policy setting to Enabled. This setting is extremely dangerous to apply through Group Policy on a user-by-user basis, because it requires the appropriate user account object to be opened in Active Directory Users and Computers.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.1.6_L1_Ensure_Store_passwords_using_reversible_encryption_is_set_to_Disabled" role="full" severity="unknown" time="2017-05-08T21:09:46.032Z" version="1" weight="1.0"> <result>unknown</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/5" system="http://cisecurity.org/20-cc/v6.1"/> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/14" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-36286-3</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.032Z" start-time="2017-05-08T21:09:46.016Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'Reversible Encryption' is 'Equals' to '0'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10007" result="unknown" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10007" type="passwordpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10007"> <cis:evidence_item itemref="787"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="Unknown" dt="boolean" ev="0" name="reversible_encryption" op="equals" result="unknown"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1008" value-id="xccdf_org.cisecurity.benchmarks_value_1.1.6.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1008"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-36286-3 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.5 |
Label: | Ensure Workstation Screen Locks Are Configured |
Description: | Configure screen locks on systems to limit access to unattended workstations. |
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.14 |
Label: | Encrypt/Hash All Authentication Files And Monitor Their Access |
Description: | Verify that all authentication files are encrypted or hashed and that these files cannot be accessed without root or administrator privileges. Audit all access to password files in the system. |
This section contains recommendations for account lockout policy.
This policy setting determines the length of time that must pass before a locked account is unlocked and a user can try to log on again. The setting does this by specifying the number of minutes a locked out account will remain unavailable. If the value for this policy setting is configured to 0, locked out accounts will remain locked out until an administrator manually unlocks them.
Although it might seem like a good idea to configure the value for this policy setting to a high value, such a configuration will likely increase the number of calls that the help desk receives to unlock accounts locked by mistake. Users should be aware of the length of time a lock remains in place, so that they realize they only need to call the help desk if they have an extremely urgent need to regain access to their computer.
The recommended state for this setting is: 15 or more minute(s).
A denial of service (DoS) condition can be created if an attacker abuses the Account lockout threshold and repeatedly attempts to log on with a specific account. Once you configure the Account lockout threshold setting, the account will be locked out after the specified number of failed attempts. If you configure the Account lockout duration setting to 0, then the account will remain locked out until an administrator unlocks it manually.
To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout duration
Impact:
Although it may seem like a good idea to configure this policy setting to never automatically unlock an account, such a configuration can increase the number of requests that your organization's help desk receives to unlock accounts that were locked by mistake.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.2.1_L1_Ensure_Account_lockout_duration_is_set_to_15_or_more_minutes" role="full" severity="unknown" time="2017-05-08T21:09:46.125Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/7" system="http://cisecurity.org/20-cc/v6.1"/> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-37034-6</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.125Z" start-time="2017-05-08T21:09:46.032Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure '{$artifact.lockoutsetting' is '{$artifact.test.human_name}' to '{$artifact.test.value}'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10008" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10008" type="lockoutpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10008"> <cis:evidence_item itemref="789"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="900" dt="int" ev="900" name="lockout_duration" op="greater than or equal" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1009" value-id="xccdf_org.cisecurity.benchmarks_value_1.2.1.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1009"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-37034-6 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.7 |
Label: | Configure Account Lockouts |
Description: | Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time. |
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
This policy setting determines the number of failed logon attempts before the account is locked. Setting this policy to 0 does not conform with the benchmark as doing so disables the account lockout threshold.
The recommended state for this setting is: 10 or fewer invalid logon attempt(s), but not 0.
Setting an account lockout threshold reduces the likelihood that an online password brute force attack will be successful. Setting the account lockout threshold too low introduces risk of increased accidental lockouts and/or a malicious actor intentionally locking out accounts.
To establish the recommended configuration via GP, set the following UI path to 10 or fewer invalid login attempt(s), but not 0:
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Account lockout threshold
Impact:
If this policy setting is enabled, a locked-out account will not be usable until it is reset by an administrator or until the account lockout duration expires. This setting may generate additional help desk calls.
If you enforce this setting an attacker could cause a denial of service condition by deliberately generating failed logons for multiple user, therefore you should also configure the Account Lockout Duration to a relatively low value.
If you configure the Account Lockout Threshold to 0, there is a possibility that an attacker's attempt to discover passwords with a brute force password attack might go undetected if a robust audit mechanism is not in place.
All of the following tests or sub-groups must pass: | ||||||||||||||||
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.2.2_L1_Ensure_Account_lockout_threshold_is_set_to_10_or_fewer_invalid_logon_attempts_but_not_0" role="full" severity="unknown" time="2017-05-08T21:09:46.141Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/7" system="http://cisecurity.org/20-cc/v6.1"/> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-36008-1</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.141Z" start-time="2017-05-08T21:09:46.141Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure '{$artifact.lockoutsetting' is '{$artifact.test.human_name}' to '{$artifact.test.value}'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10010" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10010" type="lockoutpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10010"> <cis:evidence_item itemref="789"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="10" dt="int" ev="0" name="lockout_threshold" op="greater than" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure '{$artifact.lockoutsetting' is '{$artifact.test.human_name}' to '{$artifact.test.value}'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10009" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10009" type="lockoutpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10009"> <cis:evidence_item itemref="789"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="10" dt="int" ev="10" name="lockout_threshold" op="less than or equal" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1010" value-id="xccdf_org.cisecurity.benchmarks_value_1.2.2.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1010"/> </check> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1011" value-id="xccdf_org.cisecurity.benchmarks_value_1.2.2.2_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1011"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-36008-1 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.7 |
Label: | Configure Account Lockouts |
Description: | Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time. |
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
This policy setting determines the length of time before the Account lockout threshold resets to zero. The default value for this policy setting is Not Defined. If the Account lockout threshold is defined, this reset time must be less than or equal to the value for the Account lockout duration setting.
If you leave this policy setting at its default value or configure the value to an interval that is too long, your environment could be vulnerable to a DoS attack. An attacker could maliciously perform a number of failed logon attempts on all users in the organization, which will lock out their accounts. If no policy were determined to reset the account lockout, it would be a manual task for administrators. Conversely, if a reasonable time value is configured for this policy setting, users would be locked out for a set period until all of the accounts are unlocked automatically.
The recommended state for this setting is: 15 or more minute(s).
Users can accidentally lock themselves out of their accounts if they mistype their password multiple times. To reduce the chance of such accidental lockouts, the Reset account lockout counter after setting determines the number of minutes that must elapse before the counter that tracks failed logon attempts and triggers lockouts is reset to 0.
To establish the recommended configuration via GP, set the following UI path to 15 or more minute(s):
Computer Configuration\Policies\Windows Settings\Security Settings\Account Policies\Account Lockout Policy\Reset account lockout counter after
Impact:
If you do not configure this policy setting or if the value is configured to an interval that is too long, a DoS attack could occur. An attacker could maliciously attempt to log on to each user's account numerous times and lock out their accounts as described in the preceding paragraphs. If you do not configure the Reset account lockout counter after setting, administrators would have to manually unlock all accounts. If you configure this policy setting to a reasonable value the users would be locked out for some period, after which their accounts would unlock automatically. Be sure that you notify users of the values used for this policy setting so that they will wait for the lockout timer to expire before they call the help desk about their inability to log on.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_1.2.3_L1_Ensure_Reset_account_lockout_counter_after_is_set_to_15_or_more_minutes" role="full" severity="unknown" time="2017-05-08T21:09:46.141Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16/subcontrol/7" system="http://cisecurity.org/20-cc/v6.1"/> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/16" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-36883-7</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:46.141Z" start-time="2017-05-08T21:09:46.141Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure '{$artifact.lockoutsetting' is '{$artifact.test.human_name}' to '{$artifact.test.value}'" negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10011" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10011" type="lockoutpolicy_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10011"> <cis:evidence_item itemref="789"> <cis:evidence_item_pk status="exists"/> <cis:evidence_field cv="900" dt="int" ev="900" name="lockout_observation_window" op="greater than or equal" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-export export-name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:var:1012" value-id="xccdf_org.cisecurity.benchmarks_value_1.2.3.1_var"/> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1012"/> </check> </complex-check> </rule-result>
References:
CCE Information | |
---|---|
CCE-IDv5: | CCE-36883-7 |
Published On: | |
Last Modified On: |
Critical Controls:
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
Subcontrol: | 16.7 |
Label: | Configure Account Lockouts |
Description: | Use and configure account lockouts such that after a set number of failed login attempts the account is locked for a standard period of time. |
Critical Control Information | |
---|---|
Control: | Actively manage the life cycle of system and application accounts – their creation, use, dormancy, deletion – in order to minimize opportunities for attackers to leverage them. |
This section contains recommendations for local policies.
This section is intentionally blank and exists to ensure the structure of Windows benchmarks is consistent.
This section contains recommendations for user rights assignments.
This security setting is used by Credential Manager during Backup and Restore. No accounts should have this user right, as it is only assigned to Winlogon. Users' saved credentials might be compromised if this user right is assigned to other entities.
The recommended state for this setting is: No One.
If an account is given this right the user of the account may create an application that calls into Credential Manager and is returned the credentials for another user.
To establish the recommended configuration via GP, set the following UI path to No One:
Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Access Credential Manager as a trusted caller
Impact:
None - this is the default configuration.
|
<rule-result xmlns="http://checklists.nist.gov/xccdf/1.2" xmlns:ae="http://benchmarks.cisecurity.org/ae/0.5" xmlns:cc="http://cisecurity.org/20-cc/v6.1" xmlns:ciscf="https://benchmarks.cisecurity.org/ciscf/1.0" xmlns:ecl="http://cisecurity.org/check" xmlns:notes="http://benchmarks.cisecurity.org/notes" xmlns:xccdf="http://checklists.nist.gov/xccdf/1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" idref="xccdf_org.cisecurity.benchmarks_rule_2.2.1_L1_Ensure_Access_Credential_Manager_as_a_trusted_caller_is_set_to_No_One" role="full" severity="unknown" time="2017-05-08T21:09:56.355Z" version="1" weight="1.0"> <result>pass</result> <ident cc:controlURI="http://cisecurity.org/20-cc/v6.1/control/5/subcontrol/1" system="http://cisecurity.org/20-cc/v6.1"/> <ident system="http://cce.mitre.org">CCE-37056-9</ident> <metadata> <cis:evidence xmlns:cis="http://benchmarks.cisecurity.org/evidence/1.0" end-time="2017-05-08T21:09:56.355Z" start-time="2017-05-08T21:09:56.293Z"> <cis:and> <cis:evidence_test check="all" check_existence="at_least_one_exists" comment="Ensure 'setrustedcredmanaccessnameright' is set to 'Set Is Empty' " negated="false" ns="windows" objref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:obj:10012" result="true" testref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:tst:10012" type="accesstoken_test"> <cis:evidence_state steref="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:ste:10012"> <cis:evidence_item itemref="1487"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1488"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Administrators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1489"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Power Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1490"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Guests"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1491"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Distributed COM Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1492"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="BUILTIN\IIS_IUSRS"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1493"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="System Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1494"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NTLM Authentication"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1495"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NT SERVICE"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1496"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Performance Monitor Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1497"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="SChannel Authentication"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1498"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Digest Authentication"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1499"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="CISAdmin"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1500"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NT SERVICE\ALL SERVICES"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1501"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NETWORK SERVICE"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1502"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Replicator"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1503"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Cryptographic Operators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1504"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Low Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1505"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="High Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1506"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Network Configuration Operators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1507"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NT SERVICE\WdiServiceHost"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1508"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="RDS Remote Access Servers"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1509"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Untrusted Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1510"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="windows2016\DefaultAccount"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1511"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="RDS Management Servers"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1512"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="BATCH"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1513"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NETWORK"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1514"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="DIALUP"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1515"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="ANONYMOUS LOGON"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1516"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="SERVICE"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1517"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="INTERACTIVE"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1518"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="ENTERPRISE DOMAIN CONTROLLERS"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1519"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="PROXY"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1520"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Print Operators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1521"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="BUILTIN\System Managed Group"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1522"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NULL SID"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1523"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Backup Operators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1524"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Hyper-V Administrators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1525"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Access Control Assistance Operators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1526"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Performance Log Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1527"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="CREATOR GROUP"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1528"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="CREATOR OWNER"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1529"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="CREATOR GROUP SERVER"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1530"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="CREATOR OWNER SERVER"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1531"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="LOCAL"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1532"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="CONSOLE LOGON"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1533"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="OWNER RIGHTS"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1534"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="RDS Endpoint Servers"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1535"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="BUILTIN\Storage Replica Administrators"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1536"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Medium Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1537"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Everyone"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1538"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Remote Desktop Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1539"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Event Log Readers"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1540"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Medium Plus Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1541"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="IUSR"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1542"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Remote Management Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1543"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="This Organization"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1544"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="REMOTE INTERACTIVE LOGON"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1545"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="TERMINAL SERVER USER"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1546"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="RESTRICTED"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1547"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Authenticated Users"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1548"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="SELF"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1549"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Certificate Service DCOM Access"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1550"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="LOCAL SERVICE"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1551"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="SYSTEM"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1552"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NT AUTHORITY\Local account"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1553"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="GuestAccount"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1554"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="Protected Process Mandatory Level"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> <cis:evidence_item itemref="1555"> <cis:evidence_item_pk status="exists"> <cis:evidence_item_pk_field name="security_principle" value="NT AUTHORITY\Local account and member of Administrators group"/> </cis:evidence_item_pk> <cis:evidence_field cv="false" dt="boolean" ev="false" name="setrustedcredmanaccessnameright" op="equals" result="true"/> </cis:evidence_item> </cis:evidence_state> </cis:evidence_test> </cis:and> </cis:evidence> </metadata> <complex-check operator="AND"> <check system="http://oval.mitre.org/XMLSchema/oval-definitions-5"> <check-content-ref href="CIS_Microsoft_Windows_Server_2016_Benchmark_v1.0.0-oval.xml" name="oval:org.cisecurity.benchmarks.microsoft_windows_server_2016:def:1013"/> </check> </complex-check> </rule-result>
References: